Brand impersonation: Automobile assistance associations

 1name: "Brand impersonation: Automobile assistance associations"
 2description: "Detects messages impersonating automobile associations (AAA, CAA, RAC, etc.) offering vehicle emergency kits or roadside assistance services from untrusted senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    any(ml.nlu_classifier(body.current_thread.text).entities,
 9        .name == "org"
10        and .text in~ (
11          'AAA', // American Automobile Assoc.
12          'RAC', // UK Royal Automobile Club
13          'RAA', // Australia Royal Automotive Assoc.
14          'CAA', // Canadian Automobile Assoc.
15          'BCAA', // BC Automobile Assoc.
16          'AMA', // Alberta Motor Assoc.
17        )
18    )
19  )
20  and regex.icontains(body.current_thread.text,
21                      '(?:car|vehicle|motor|driver|emergency|road.?side|break.?down|assist|save|discount|complimentary|free\b).{0,10}kit'
22  )
23  // and the sender is not from high trust sender root domains
24  and not (
25    sender.email.domain.root_domain in $high_trust_sender_root_domains
26    and coalesce(headers.auth_summary.dmarc.pass, false)
27  )
28  // negate newsletters and quarantine notifications
29  and not (
30    any(ml.nlu_classifier(body.current_thread.text).topics,
31        .name in ("Newsletters and Digests") and .confidence != "low"
32    )
33    or strings.icontains(subject.subject, "quarantine")
34  )  
35
36
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Impersonation: Brand"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Natural Language Understanding"
45  - "Header analysis"
46  - "Sender analysis"
47id: "283f7fe5-afa2-5a2b-bd6c-0df687ed4a11"