Brand Impersonation: Disney

calendar Mar 4, 2026  ·
Share on: linkedin copy

Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: Disney"
  2description: "Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    // display name contains Disney
  9    (
 10      (
 11        strings.ilike(strings.replace_confusables(sender.display_name),
 12                      '*disney*'
 13        )
 14        and not strings.ilike(strings.replace_confusables(sender.display_name),
 15                              '*disney springs*'
 16        )
 17      )
 18      // levenshtein distance similar to Disney
 19      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 20                              'disney'
 21      ) <= 1
 22      or any(ml.logo_detect(file.message_screenshot()).brands,
 23             .name == "Disney" and .confidence == "high"
 24      )
 25    )
 26  )
 27  and (
 28    (
 29      any(ml.nlu_classifier(body.current_thread.text).topics,
 30          .name in (
 31            "Security and Authentication",
 32            "Secure Message",
 33            "Reminders and Notifications"
 34          )
 35          and .confidence in ("medium", "high")
 36      )
 37      and not any(ml.nlu_classifier(body.current_thread.text).topics,
 38                  .name in ("Newsletters and Digests", "Entertainment and Sports")
 39                  and .confidence in ("medium", "high")
 40      )
 41    )
 42    or (
 43      any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
 44          .name in (
 45            "Security and Authentication",
 46            "Secure Message",
 47            "Reminders and Notifications"
 48          )
 49          and (
 50            .confidence in ("medium", "high")
 51            and beta.ocr(file.message_screenshot()).text != ""
 52          )
 53      )
 54      and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
 55                  .name in ("Newsletters and Digests", "Entertainment and Sports")
 56                  and .confidence in ("medium", "high")
 57      )
 58    )
 59    or any(ml.nlu_classifier(body.current_thread.text).intents,
 60           .name == "cred_theft" and .confidence == "high"
 61    )
 62    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 63           .name == "cred_theft" and .confidence == "high"
 64    )
 65  )
 66  
 67  // and the sender is not in org_domains or from Disney domains and passes auth
 68  and not (
 69    sender.email.domain.root_domain in $org_domains
 70    or (
 71      // from https://github.com/v2fly/domain-list-community/blob/master/data/disney
 72      sender.email.domain.root_domain in (
 73        "disney.asia",
 74        "disney.be",
 75        "disney.bg",
 76        "disney.ca",
 77        "disney.ch",
 78        "disney.co.il",
 79        "disney.co.jp",
 80        "disney.co.kr",
 81        "disney.co.th",
 82        "disney.co.uk",
 83        "disney.co.za",
 84        "disney.com",
 85        "disney.com.au",
 86        "disney.com.br",
 87        "disney.com.hk",
 88        "disney.com.tw",
 89        "disney.cz",
 90        "disney.de",
 91        "disney.dk",
 92        "disney.es",
 93        "disney.fi",
 94        "disney.fr",
 95        "disney.gr",
 96        "disney.hu",
 97        "disney.id",
 98        "disney.in",
 99        "disney.io",
100        "disney.it",
101        "disney.my",
102        "disney.nl",
103        "disney.no",
104        "disney.ph",
105        "disney.pl",
106        "disney.pt",
107        "disney.ro",
108        "disney.ru",
109        "disney.se",
110        "disney.sg",
111        "disneysurveys.com",
112        "disneyonline.com",
113        "disneyaccount.com",
114        "disneyadvertising.com",
115        "disneydestinations.com",
116        "hulu.com",
117        "hulumail.com",
118        "canarytechnologies.com", // domain used by a disney resort - hotel mgmt software company
119        "disneyvacationclub.com",
120        "twdc.com",
121        "disneyrewards.com",
122        "disneystore.com",
123        "disneyworld.com"
124      )
125      and headers.auth_summary.dmarc.pass
126    )
127  )
128  // and the sender is not from high trust sender root domains
129  and (
130    (
131      sender.email.domain.root_domain in $high_trust_sender_root_domains
132      and not headers.auth_summary.dmarc.pass
133    )
134    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
135  )
136  and (
137    not profile.by_sender().solicited
138    or not headers.auth_summary.dmarc.pass
139    or not headers.auth_summary.spf.pass
140  )  
141attack_types:
142  - "Credential Phishing"
143tactics_and_techniques:
144  - "Impersonation: Brand"
145  - "Social engineering"
146detection_methods:
147  - "Computer Vision"
148  - "Natural Language Understanding"
149  - "Content analysis"
150  - "Header analysis"
151  - "Sender analysis"
152id: "bf90b8fb-3f6e-5831-9b3c-1d05b2a4a863"
to-top