Medium Severity

Brand impersonation: Robert Half

Labels

BEC/Fraud

Credential Phishing

Description

Detects messages impersonating Robert Half, a staffing and recruiting company, by analyzing sender display names, logo detection in message screenshots, and specific company address references in the message body. The rule flags messages from senders not authenticated from legitimate Robert Half domains.

References

No references.

Sublime Security

Created Sep 15th, 2025 • Last updated Oct 1st, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  strings.icontains(sender.display_name, "Robert Half")
  or (
    any(ml.logo_detect(file.message_screenshot()).brands,
        .name == "Robert Half"
    )
    and strings.icontains(sender.display_name, "Robert Half")
  )
  or 2 of (
    strings.icontains(body.current_thread.text, 'Robert Half'),
    strings.icontains(body.current_thread.text, '2884 Sand Hill Road'),
    strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
  )
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in (
              "Newsletters and Digests",
              "Voicemail Call and Missed Call Notifications",
              "Advertising and Promotions"
            )
            and .confidence != "low"
)
// and the sender is not in org_domains or from Robert Half domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in (
      "roberthalf.com",
      "roberthalf.be",
      "service-now.com",
      "protiviti.com",
      "atlassian.net",
      "workday.com",
      "myworkday.com"
    )
    and headers.auth_summary.dmarc.pass
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.