Brand Impersonation: Booking.com

 1name: "Brand Impersonation: Booking.com"
 2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(beta.ml_topic(body.current_thread.text).topics,
 9          .name in ("Travel and Transportation", "Customer Service and Support")
10          and .confidence == "high"
11  )
12  and any(ml.nlu_classifier(body.current_thread.text).entities,
13          .name == "org" and .text == "Booking.com"
14  )
15  and any(ml.nlu_classifier(body.current_thread.text).intents,
16          .name == "cred_theft"
17  )
18  and sender.email.domain.root_domain not in~ ('booking.com')
19  and (
20    not profile.by_sender().solicited
21    or (
22      profile.by_sender().any_messages_malicious_or_spam
23      and not profile.by_sender().any_false_positives
24    )
25  )
26  
27  // negate highly trusted sender domains unless they fail DMARC authentication
28  and (
29    (
30      sender.email.domain.root_domain in $high_trust_sender_root_domains
31      and not headers.auth_summary.dmarc.pass
32    )
33    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
34  )  
35
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Impersonation: Brand"
40  - "Social engineering"
41detection_methods:
42  - "Natural Language Understanding"
43  - "Header analysis"
44  - "Sender analysis"
45id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"