Brand impersonation: Booking.com
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Booking.com"
2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and (
9 any(ml.nlu_classifier(body.current_thread.text).topics,
10 .name in (
11 "Travel and Transportation",
12 "Customer Service and Support",
13 "Security and Authentication"
14 )
15 and .confidence != "low"
16 )
17 // handle instances in which ml_topic does not hit
18 or (
19 length(body.links) == 0
20 and length(attachments) == 0
21 and length(body.current_thread.text) < 1000
22 and strings.icontains(sender.display_name, "booking.com")
23 )
24 )
25 and (
26 any(ml.nlu_classifier(body.current_thread.text).entities,
27 .name == "org" and .text == "Booking.com"
28 )
29 or strings.icontains(body.current_thread.text, ' booking.com ')
30 or strings.icontains(sender.display_name, "booking.com")
31 or 2 of (
32 strings.icontains(body.current_thread.text, "Booking.com"),
33 strings.icontains(body.current_thread.text, "Oosterdokskade 163"),
34 strings.icontains(body.current_thread.text, "Amsterdam")
35 )
36 )
37 and (
38 any(ml.nlu_classifier(body.current_thread.text).intents,
39 .name == "cred_theft"
40 )
41 or any(body.links,
42 strings.ilike(.display_text,
43 "*review*",
44 "*response*",
45 "*respond*",
46 "*complaint*",
47 "*contact*",
48 "*accommodation*",
49 "*view*details*"
50 )
51 or .display_url.domain.root_domain == "booking.com" and .mismatched
52 or .href_url.domain.root_domain == 'share.google'
53 or network.whois(.href_url.domain).days_old < 30
54 or strings.icontains(.href_url.path, "/redir")
55 )
56 // check for text strings that betray intent
57 or regex.icontains(body.current_thread.text, '(?:book\sa|open)\srooms', )
58 or strings.ilike(body.current_thread.text, "* availab*", )
59 // two seperate HTML elements impersonating the logo
60 or (
61 any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
62 .display_text =~ "Booking"
63 )
64 and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
65 .display_text =~ ".com"
66 )
67 )
68 )
69 and not (
70 sender.email.domain.root_domain in~ (
71 'booking.com',
72 'siteminder.com',
73 'thinkreservations.com'
74 )
75 and headers.auth_summary.dmarc.pass
76 )
77 and (
78 not profile.by_sender().solicited
79 or (
80 profile.by_sender().any_messages_malicious_or_spam
81 and not profile.by_sender().any_messages_benign
82 )
83 )
84
85 // negate microsoft quarantine messages
86 and not (
87 sender.email.email == "quarantine@messaging.microsoft.com"
88 and (
89 headers.auth_summary.dmarc.pass
90 // no sender auth but MS AuthAs is Internal
91 or (
92 not coalesce(headers.auth_summary.dmarc.pass, false)
93 and any(headers.hops,
94 .index == 0
95 and any(.fields,
96 .name == "X-MS-Exchange-CrossTenant-AuthAs"
97 and .value == "Internal"
98 )
99 )
100 )
101 )
102 )
103
104attack_types:
105 - "Credential Phishing"
106tactics_and_techniques:
107 - "Impersonation: Brand"
108 - "Social engineering"
109detection_methods:
110 - "Natural Language Understanding"
111 - "Header analysis"
112 - "Sender analysis"
113id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"