[PR #3068] changed rule: Brand impersonation: Charter Spectrum

github-actions[bot] · github-actions[bot] · commit 8edb990983dc · 2025-09-20T00:19:57.000Z
diff --git a/detection-rules/3068_impersonation_charter_spectrum.yml b/detection-rules/3068_impersonation_charter_spectrum.yml
@@ -0,0 +1,69 @@
+name: "Brand impersonation: Charter Spectrum"
+description: "Detects messages impersonating Charter Spectrum by using variations of 'Spectrum' or 'MyCharter' in the display name while not originating from legitimate Charter domains or failing DMARC authentication."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  
+  and (
+    // Claim to be Charter or Spectrum in the Display Name
+    regex.icontains(sender.display_name, 'spe[cç]trum')
+    or strings.icontains(sender.display_name, 'MyCharter')
+
+    // Claims sent by Charter
+    or strings.icontains(body.current_thread.text, 'This message was sent by Charter Communications.')
+    or regex.icontains(body.current_thread.text, ' © \d{4} Charter.?Communications')
+    
+  )
+  // Exclude authorized sending through legitimate sending domains
+  and not (
+    sender.email.domain.root_domain in (
+      "spectrumemails.com", // primary communication domain
+      "spectrumtoolbox.com", // used for SpetrumTool Enterprise
+      "beagleinsight.com", // survey vendor
+      "spectrumreach.com", // direct marketing
+      "charter.com", // service alerts
+      "spectrumenterprise.com", // customer surveys
+      "spectrumcustomersurvey.com", // customer feedback surveys
+      "ccsend.com", // they use constant contact
+      "simplifiednetworkmanagement.com", // cold emailing from this domain
+      "tbjobalerts.com", // Job listings for Spectrum
+      "spectruminsiders.com" // legit surveys
+    )
+    and headers.auth_summary.dmarc.pass
+  )
+  // necessitated by legit emails that are failing dmarc (they probably use a vendor)
+  and not (
+    sender.email.domain.root_domain in (
+      "spectrum.com", // they use vendors that don't have dmarc pass
+      "spectrum.net", // voicemail notifications - dmarc null
+    )
+    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+  )
+  
+  // Make sure this is related to Charter -- exclude other use of 'spectrum'
+  // use this section to provide strong indications of the brand we are targetting
+  and (
+     strings.icontains(body.current_thread.text, 'Charter')
+  )
+  
+  // Head off other jobs emails
+  and not (
+    strings.icontains(body.current_thread.text, "applicant")
+    and strings.icontains(body.current_thread.text, "apply")
+    and strings.icontains(body.current_thread.text, "Opportunity Employer")
+    and strings.icontains(body.current_thread.text, "Opening")
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "26162949-d936-5dd7-a626-6f1b3ca41dff"
+og_id: "f1cd01e0-3f2b-52c3-9e99-66a9726763ce"
+testing_pr: 3068
+testing_sha: 511f6d66bef0641f6a0bc9f780049b9cea808d4c
