• Sublime Core Feed
Medium Severity

Brand impersonation: United Healthcare

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Header analysis
Sender analysis

Description

Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately.

References

No references.

Sublime Security
Created Aug 25th, 2025 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  // display name contains UHC
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*united healthcare*'
    )
    or strings.ilike(strings.replace_confusables(sender.display_name), 'UHC*')
    or regex.icontains(sender.display_name, 'united ?health ?care')
  )
  // levenshtein distance similar to UHC
  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                          'united healthcare'
  ) <= 1
  or (
    regex.icontains(body.current_thread.text, 'united ?health ?care')
    and (
      regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
      // Free benefits/items lure commonly used in UHC impersonation
      or regex.icontains(body.current_thread.text,
                         'dental (benefits?|coverage).{0,50}(free|eligible|no.{0,10}cost)'
      )
      or regex.icontains(body.current_thread.text,
                         'free.{0,30}(toothbrush|dental|benefit)'
      )
    )
  )
  // Brand name in sender local part from non-UHC domain
  or (
    strings.icontains(sender.email.local_part, "unitedhealthcare")
    and sender.email.domain.root_domain not in (
      "uhc.com",
      "unitedhealthcare.com",
      "uhcmedicaresolutions.com",
      "unitedhealthcareupdate.com",
      "yourhealth-wellnessteam.com",
      "uhc-customer.com",
      "leavesource.com"
    )
  )
)
// and the sender is not in org_domains or from UHC domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    (
      sender.email.domain.root_domain in (
        "uhc.com",
        "unitedhealthcare.com",
        "uhcmedicaresolutions.com",
        "unitedhealthcareupdate.com",
        "yourhealth-wellnessteam.com",
        "uhc-customer.com",
        "leavesource.com"
      )
      or sender.display_name in (
        "UHCOM Faculty Affairs",
        "UHC Construction Services"
      )
    )
    and headers.auth_summary.dmarc.pass
  )
)
// negate UHC job related posting
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "Professional and Career Development"
            and .confidence == "high"
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started