Brand impersonation: Booking.com
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Booking.com"
2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).topics,
10 .name in (
11 "Travel and Transportation",
12 "Customer Service and Support",
13 "Security and Authentication"
14 )
15 and .confidence != "low"
16 )
17 // handle instances in which ml_topic does not hit
18 or (
19 length(body.links) == 0
20 and length(attachments) == 0
21 and length(body.current_thread.text) < 1000
22 and strings.icontains(sender.display_name, "booking.com")
23 )
24 )
25 and (
26 any(ml.nlu_classifier(body.current_thread.text).entities,
27 .name == "org" and .text == "Booking.com"
28 )
29 or strings.icontains(body.current_thread.text, ' booking.com ')
30 or strings.icontains(sender.display_name, "booking.com")
31 )
32 and (
33 any(ml.nlu_classifier(body.current_thread.text).intents,
34 .name == "cred_theft"
35 )
36 or any(body.links,
37 strings.ilike(.display_text,
38 "*review*",
39 "*response*",
40 "*respond*",
41 "*complaint*",
42 "*contact*",
43 "*accommodation*"
44 )
45 or .display_url.domain.root_domain == "booking.com" and .mismatched
46 or network.whois(.href_url.domain).days_old < 30
47 or strings.icontains(.href_url.path, "/redir")
48 )
49 // check for text strings that betray intent
50 or regex.icontains(body.current_thread.text, '(?:book\sa|open)\srooms', )
51 or strings.ilike(body.current_thread.text, "* availab*", )
52 // two seperate HTML elements impersonating the logo
53 or (
54 any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
55 .display_text =~ "Booking"
56 )
57 and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
58 .display_text =~ ".com"
59 )
60 )
61 )
62 and not (
63 sender.email.domain.root_domain in~ ('booking.com', 'siteminder.com')
64 and headers.auth_summary.dmarc.pass
65 )
66 and (
67 not profile.by_sender().solicited
68 or (
69 profile.by_sender().any_messages_malicious_or_spam
70 and not profile.by_sender().any_messages_benign
71 )
72 )
73
74 // negate microsoft quarantine messages
75 and not (
76 sender.email.email == "quarantine@messaging.microsoft.com"
77 and (
78 headers.auth_summary.dmarc.pass
79 // no sender auth but MS AuthAs is Internal
80 or (
81 not coalesce(headers.auth_summary.dmarc.pass, false)
82 and any(headers.hops,
83 .index == 0
84 and any(.fields,
85 .name == "X-MS-Exchange-CrossTenant-AuthAs"
86 and .value == "Internal"
87 )
88 )
89 )
90 )
91 )
92
93attack_types:
94 - "Credential Phishing"
95tactics_and_techniques:
96 - "Impersonation: Brand"
97 - "Social engineering"
98detection_methods:
99 - "Natural Language Understanding"
100 - "Header analysis"
101 - "Sender analysis"
102id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"