Brand impersonation: Booking.com
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Booking.com"
2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).topics,
10 .name in (
11 "Travel and Transportation",
12 "Customer Service and Support",
13 "Security and Authentication"
14 )
15 and .confidence != "low"
16 )
17 // handle instances in which ml_topic does not hit
18 or (
19 length(body.links) == 0
20 and length(attachments) == 0
21 and length(body.current_thread.text) < 1000
22 and strings.icontains(sender.display_name, "booking.com")
23 )
24 )
25 and (
26 any(ml.nlu_classifier(body.current_thread.text).entities,
27 .name == "org" and .text == "Booking.com"
28 )
29 or strings.icontains(body.current_thread.text, ' booking.com ')
30 or strings.icontains(sender.display_name, "booking.com")
31 )
32 and (
33 any(ml.nlu_classifier(body.current_thread.text).intents,
34 .name == "cred_theft"
35 )
36 or any(body.links,
37 strings.ilike(.display_text,
38 "*review*",
39 "*response*",
40 "*respond*",
41 "*complaint*",
42 "*contact*",
43 "*accommodation*",
44 "*view*details*"
45 )
46 or .display_url.domain.root_domain == "booking.com" and .mismatched
47 or .href_url.domain.root_domain == 'share.google'
48 or network.whois(.href_url.domain).days_old < 30
49 or strings.icontains(.href_url.path, "/redir")
50 )
51 // check for text strings that betray intent
52 or regex.icontains(body.current_thread.text, '(?:book\sa|open)\srooms', )
53 or strings.ilike(body.current_thread.text, "* availab*", )
54 // two seperate HTML elements impersonating the logo
55 or (
56 any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
57 .display_text =~ "Booking"
58 )
59 and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
60 .display_text =~ ".com"
61 )
62 )
63 )
64 and not (
65 sender.email.domain.root_domain in~ (
66 'booking.com',
67 'siteminder.com',
68 'thinkreservations.com'
69 )
70 and headers.auth_summary.dmarc.pass
71 )
72 and (
73 not profile.by_sender().solicited
74 or (
75 profile.by_sender().any_messages_malicious_or_spam
76 and not profile.by_sender().any_messages_benign
77 )
78 )
79
80 // negate microsoft quarantine messages
81 and not (
82 sender.email.email == "quarantine@messaging.microsoft.com"
83 and (
84 headers.auth_summary.dmarc.pass
85 // no sender auth but MS AuthAs is Internal
86 or (
87 not coalesce(headers.auth_summary.dmarc.pass, false)
88 and any(headers.hops,
89 .index == 0
90 and any(.fields,
91 .name == "X-MS-Exchange-CrossTenant-AuthAs"
92 and .value == "Internal"
93 )
94 )
95 )
96 )
97 )
98
99attack_types:
100 - "Credential Phishing"
101tactics_and_techniques:
102 - "Impersonation: Brand"
103 - "Social engineering"
104detection_methods:
105 - "Natural Language Understanding"
106 - "Header analysis"
107 - "Sender analysis"
108id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"