sublime-security · ben-sublime · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025
@@ -0,0 +1,74 @@
+name: "Brand impersonation: Charter Spectrum"
+description: "Detects messages impersonating Charter Spectrum by using variations of 'Spectrum' or 'MyCharter' in the display name while not originating from legitimate Charter domains or failing DMARC authentication."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // Claim to be Charter or Spectrum in the Display Name
+    regex.icontains(sender.display_name, 'spe[cç]trum')
+    or strings.icontains(sender.display_name, 'MyCharter')
+
+    // Claims sent by Charter
+    or strings.icontains(body.current_thread.text,
+                         'This message was sent by Charter Communications.'
+    )
+    or regex.icontains(body.current_thread.text,
+                       ' © \d{4} Charter.?Communications'
+    )
+  )
+  // Exclude authorized sending through legitimate sending domains
+  and not (
+    (
+      sender.email.domain.root_domain in (
+        "spectrumemails.com", // primary communication domain
+        "spectrumtoolbox.com", // used for SpetrumTool Enterprise
+        "beagleinsight.com", // survey vendor
+        "spectrumreach.com", // direct marketing
+        "charter.com", // service alerts
+        "spectrumenterprise.com", // customer surveys
+        "spectrumenterprise.net", // customer surveys
+        "spectrumcustomersurvey.com", // customer feedback surveys
+        "ccsend.com", // they use constant contact
+        "simplifiednetworkmanagement.com", // cold emailing from this domain
+        "tbjobalerts.com", // Job listings for Spectrum
+        "spectruminsiders.com", // legit surveys
+        "spectrumbusinessinsider.com", // legit surveys
+        "joinspectrum.net", // Spectrum reseller
+        "ny1.com", // Spectrum NY1 News channel
+        "mymove.com", // Spectrum reseller
+      )
+      or sender.email.domain.domain in ("email.spectrumbusiness.ringcentral.com")
+    )
+    and headers.auth_summary.dmarc.pass
+  )
+  // necessitated by legit emails that are failing dmarc (they probably use a vendor)
+  and not (
+    sender.email.domain.root_domain in (
+      "spectrum.com", // they use vendors that don't have dmarc pass
+      "spectrum.net", // voicemail notifications - dmarc null
+    )
+    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+  )
+
+  // Make sure this is related to Charter -- exclude other use of 'spectrum'
+  // use this section to provide strong indications of the brand we are targetting
+  and strings.icontains(body.current_thread.text, 'Charter')
+
+  // Head off other jobs emails
+  and not (
+    strings.icontains(body.current_thread.text, "applicant")
+    and strings.icontains(body.current_thread.text, "apply")
+    and strings.icontains(body.current_thread.text, "Opportunity Employer")
+    and strings.icontains(body.current_thread.text, "Opening")
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "f1cd01e0-3f2b-52c3-9e99-66a9726763ce"