Brand Impersonation: Booking.com

 1name: "Brand Impersonation: Booking.com"
 2description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(beta.ml_topic(body.current_thread.text).topics,
 9          .name in ("Travel and Transportation", "Customer Service and Support")
10          and .confidence == "high"
11  )
12  and (
13    any(ml.nlu_classifier(body.current_thread.text).entities,
14        .name == "org" and .text == "Booking.com"
15        or strings.icontains(body.current_thread.text, ' booking.com ')
16    )
17  )
18  and (
19    any(ml.nlu_classifier(body.current_thread.text).intents,
20        .name == "cred_theft"
21    )
22    or any(body.links,
23           strings.ilike(.display_text,
24                         "*review*",
25                         "*complaint*",
26                         "*contact*",
27                         "*accommodation*"
28           )
29           or .display_url.domain.root_domain == "booking.com" and .mismatched
30           or network.whois(.href_url.domain).days_old < 30
31    )
32  )
33  and sender.email.domain.root_domain not in~ ('booking.com')
34  and (
35    not profile.by_sender().solicited
36    or (
37      profile.by_sender().any_messages_malicious_or_spam
38      and not profile.by_sender().any_false_positives
39    )
40  )  
41
42attack_types:
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Impersonation: Brand"
46  - "Social engineering"
47detection_methods:
48  - "Natural Language Understanding"
49  - "Header analysis"
50  - "Sender analysis"
51id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"