[PR #3068] changed rule: Brand impersonation: Charter Spectrum

github-actions[bot] · github-actions[bot] · commit 7674ef02fbf7 · 2025-08-21T06:47:37.000Z
diff --git a/detection-rules/3068_impersonation_charter_spectrum.yml b/detection-rules/3068_impersonation_charter_spectrum.yml
@@ -0,0 +1,55 @@
+name: "Brand impersonation: Charter Spectrum"
+description: "Detects messages impersonating Charter Spectrum by using variations of 'Spectrum' or 'MyCharter' in the display name while not originating from legitimate Charter domains or failing DMARC authentication."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // Claim to be Charter or Spectrum in the Display Name
+  and regex.icontains(sender.display_name, 'spe[cç]trum', 'MyCharter')
+  // Exclude authorized sending through legitimate sending domains
+  and not (
+    sender.email.domain.root_domain in (
+      "spectrumemails.com", // primary communication domain
+      "beagleinsight.com", // survey vendor
+      "spectrumreach.com", // direct marketing
+      "charter.com", // service alerts
+      "spectrumenterprise.com", // customer surveys
+      "spectrumcustomersurvey.com", // customer feedback surveys
+      "ccsend.com", // they use constant contact
+      "simplifiednetworkmanagement.com", // cold emailing from this domain
+      "tbjobalerts.com" // Job listings for Spectrum
+    )
+    and headers.auth_summary.dmarc.pass
+  )
+  // necessitated by legit emails that are failing dmarc (they probably use a vendor)
+  and not (
+    sender.email.domain.root_domain in (
+      "spectrum.com", // they use vendors that don't have dmarc pass
+      "spectrum.net" // voicemail notifications - dmarc null
+    )
+    and headers.auth_summary.spf.pass
+  )
+  
+  // Make sure this is related to Charter -- exclude other use of 'spectrum'
+  and regex.icontains(body.current_thread.text, 'Charter')
+  
+  // Head off other jobs emails
+  and not (
+    strings.icontains(body.current_thread.text, "applicant")
+    and strings.icontains(body.current_thread.text, "apply")
+    and strings.icontains(body.current_thread.text, "Opportunity Employer")
+    and strings.icontains(body.current_thread.text, "Opening")
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "26162949-d936-5dd7-a626-6f1b3ca41dff"
+og_id: "f1cd01e0-3f2b-52c3-9e99-66a9726763ce"
+testing_pr: 3068
+testing_sha: 2d51071437d4b73253472e36758b3e2d0484f048
