Brand impersonation: Booking.com

calendar Oct 7, 2025  ·
Share on: linkedin copy

Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Booking.com"
 2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and (
 9    any(ml.nlu_classifier(body.current_thread.text).topics,
10        .name in (
11          "Travel and Transportation",
12          "Customer Service and Support",
13          "Security and Authentication"
14        )
15        and .confidence != "low"
16    )
17    // handle instances in which ml_topic does not hit
18    or (
19      length(body.links) == 0
20      and length(attachments) == 0
21      and length(body.current_thread.text) < 1000
22      and strings.icontains(sender.display_name, "booking.com")
23    )
24  )
25  and (
26    any(ml.nlu_classifier(body.current_thread.text).entities,
27        .name == "org" and .text == "Booking.com"
28    )
29    or strings.icontains(body.current_thread.text, ' booking.com ')
30    or strings.icontains(sender.display_name, "booking.com")
31  )
32  and (
33    any(ml.nlu_classifier(body.current_thread.text).intents,
34        .name == "cred_theft"
35    )
36    or any(body.links,
37           strings.ilike(.display_text,
38                         "*review*",
39                         "*response*",
40                         "*respond*",
41                         "*complaint*",
42                         "*contact*",
43                         "*accommodation*"
44           )
45           or .display_url.domain.root_domain == "booking.com" and .mismatched
46           or network.whois(.href_url.domain).days_old < 30
47           or strings.icontains(.href_url.path, "/redir")
48    )
49    // check for text strings that betray intent
50    or regex.icontains(body.current_thread.text, '(?:book\sa|open)\srooms', )
51    or strings.ilike(body.current_thread.text, "* availab*", )
52    // two seperate HTML elements impersonating the logo
53    or (
54      any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
55          .display_text =~ "Booking"
56      )
57      and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
58              .display_text =~ ".com"
59      )
60    )
61  )
62  and not (
63    sender.email.domain.root_domain in~ ('booking.com', 'siteminder.com')
64    and headers.auth_summary.dmarc.pass
65  )
66  and (
67    not profile.by_sender().solicited
68    or (
69      profile.by_sender().any_messages_malicious_or_spam
70      and not profile.by_sender().any_messages_benign
71    )
72  )  
73
74attack_types:
75  - "Credential Phishing"
76tactics_and_techniques:
77  - "Impersonation: Brand"
78  - "Social engineering"
79detection_methods:
80  - "Natural Language Understanding"
81  - "Header analysis"
82  - "Sender analysis"
83id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"
to-top