Medium Severity

Brand Impersonation: Vanguard

Labels

BEC/Fraud

Callback Phishing

Natural Language Understanding

Header analysis

Sender analysis

Description

Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication.

References

No references.

Sublime Security

Created Mar 31st, 2025 • Last updated Apr 11th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  // display name contains Vanguard
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*vanguard*'
    )
    // levenshtein distance similar to Vanguard
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'vanguard'
    ) <= 1
    // sender domain contains Vanguard
    or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
                     '*vanguard*'
    )
  )
)
and (
  (
    any(beta.ml_topic(body.current_thread.text).topics,
        .name in (
          "Security and Authentication",
          "Secure Message",
          "Financial Communications"
        )
        and .confidence == "high"
    )
    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
           .name in (
             "Security and Authentication",
             "Secure Message",
             "Financial Communications"
           )
           and .confidence == "high"
    )
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
    )
    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
           .name == "cred_theft" and .confidence == "high"
    )
  )
)

// and the sender is not in org_domains or from Vanguard domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in (
      "vanguard.com",
      "vanguardcharitable.org", // philanthropic giving arm
      "vanguardmexico.com",
      "vanguardcanada.ca",
      "vanguard.co.uk",
      "vanguard.com.au",
      "vanguard.com.hk",
      "vanguardinvestor.co.uk",
      "vanguardretirement-mail.com",
      "e-vanguard.com",
      "e-vanguardcharitable.org",
      "feedback-vanguard.com",
      "m-vanguard.com",
      "investordelivery.com",
      "retsupport.com"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.