Medium Severity

Brand impersonation: AARP

Labels

BEC/Fraud

Credential Phishing

Description

Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.

References

No references.

Sublime Security

Created Dec 1st, 2025 • Last updated Dec 1st, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  (
    strings.icontains(sender.display_name, "AARP")
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name in ("request", "financial")
            and regex.icontains(.text, "(?:gift|win|free)")
    )
  )
  or 2 of (
    strings.icontains(body.current_thread.text, 'AARP'),
    strings.icontains(body.current_thread.text, '601 E Street NW'),
    strings.icontains(body.current_thread.text, 'Washington, DC 20049')
  )
  or (
    strings.icontains(body.current_thread.text, 'AARP')
    and (
      regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
      or strings.icontains(body.current_thread.text, "last attempt")
    )
  )
)
// negate job postings related to AARP and newsletters containing AARP
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in (
              "Professional and Career Development",
              "Newsletters and Digests"
            )
            and .confidence == "high"
)
// and the sender is not in org_domains or from AARP domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in (
      "aarp.org",
      "proofpointessentials.com",
      "expedia.com",
      "eventbrite.com",
      "zixcorp.com"
    )
    and headers.auth_summary.dmarc.pass
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.