Brand impersonation: Booking.com
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Booking.com"
2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and any(beta.ml_topic(body.current_thread.text).topics,
9 .name in (
10 "Travel and Transportation",
11 "Customer Service and Support",
12 "Security and Authentication"
13 )
14 and .confidence != "low"
15 // handle instances in which ml_topic does not hit
16 or (
17 length(body.links) == 0
18 and length(attachments) == 0
19 and length(body.current_thread.text) < 1000
20 and strings.icontains(sender.display_name, "booking.com")
21 )
22 )
23 and (
24 any(ml.nlu_classifier(body.current_thread.text).entities,
25 .name == "org" and .text == "Booking.com"
26 or strings.icontains(body.current_thread.text, ' booking.com ')
27 or strings.icontains(sender.display_name, "booking.com")
28 )
29 )
30 and (
31 any(ml.nlu_classifier(body.current_thread.text).intents,
32 .name == "cred_theft"
33 )
34 or any(body.links,
35 strings.ilike(.display_text,
36 "*review*",
37 "*response*",
38 "*respond*",
39 "*complaint*",
40 "*contact*",
41 "*accommodation*"
42 )
43 or .display_url.domain.root_domain == "booking.com" and .mismatched
44 or network.whois(.href_url.domain).days_old < 30
45 or strings.icontains(.href_url.path, "/redir")
46 )
47 // check for text strings that betray intent
48 or regex.icontains(body.current_thread.text, '(book\sa|open)\srooms', )
49 or strings.ilike(body.current_thread.text, "* availab*", )
50 // two seperate HTML elements impersonating the logo
51 or (
52 any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
53 .display_text =~ "Booking"
54 )
55 and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
56 .display_text =~ ".com"
57 )
58 )
59 )
60 and sender.email.domain.root_domain not in~ ('booking.com')
61 and (
62 not profile.by_sender().solicited
63 or (
64 profile.by_sender().any_messages_malicious_or_spam
65 and not profile.by_sender().any_messages_benign
66 )
67 )
68
69attack_types:
70 - "Credential Phishing"
71tactics_and_techniques:
72 - "Impersonation: Brand"
73 - "Social engineering"
74detection_methods:
75 - "Natural Language Understanding"
76 - "Header analysis"
77 - "Sender analysis"
78id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"