Brand impersonation: Booking.com

Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Booking.com"
 2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(beta.ml_topic(body.current_thread.text).topics,
 9          .name in (
10            "Travel and Transportation",
11            "Customer Service and Support",
12            "Security and Authentication"
13          )
14          and .confidence != "low"
15          // handle instances in which ml_topic does not hit
16          or (
17            length(body.links) == 0
18            and length(attachments) == 0
19            and length(body.current_thread.text) < 1000
20            and strings.icontains(sender.display_name, "booking.com")
21          )
22  )
23  and (
24    any(ml.nlu_classifier(body.current_thread.text).entities,
25        .name == "org" and .text == "Booking.com"
26        or strings.icontains(body.current_thread.text, ' booking.com ')
27        or strings.icontains(sender.display_name, "booking.com")
28    )
29  )
30  and (
31    any(ml.nlu_classifier(body.current_thread.text).intents,
32        .name == "cred_theft"
33    )
34    or any(body.links,
35           strings.ilike(.display_text,
36                         "*review*",
37                         "*response*",
38                         "*respond*",
39                         "*complaint*",
40                         "*contact*",
41                         "*accommodation*"
42           )
43           or .display_url.domain.root_domain == "booking.com" and .mismatched
44           or network.whois(.href_url.domain).days_old < 30
45           or strings.icontains(.href_url.path, "/redir")
46    )
47    // check for text strings that betray intent
48    or regex.icontains(body.current_thread.text, '(book\sa|open)\srooms', )
49    or strings.ilike(body.current_thread.text, "* availab*", )
50    // two seperate HTML elements impersonating the logo
51    or (
52      any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
53          .display_text =~ "Booking"
54      )
55      and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
56              .display_text =~ ".com"
57      )
58    )
59  )
60  and sender.email.domain.root_domain not in~ ('booking.com')
61  and (
62    not profile.by_sender().solicited
63    or (
64      profile.by_sender().any_messages_malicious_or_spam
65      and not profile.by_sender().any_messages_benign
66    )
67  )  
68
69attack_types:
70  - "Credential Phishing"
71tactics_and_techniques:
72  - "Impersonation: Brand"
73  - "Social engineering"
74detection_methods:
75  - "Natural Language Understanding"
76  - "Header analysis"
77  - "Sender analysis"
78id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"
to-top