Brand impersonation: Evite

 1name: "Brand impersonation: Evite"
 2description: "Detects messages impersonating Evite invitations by looking for invitation language while not originating from legitimate Evite domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.contains(body.html.raw, 'evitecdn.com')
 8  and length(filter(html.xpath(body.html, '//img/@src').nodes,
 9                    // calling parse_url allows url decoding to help us
10                    strings.parse_url(.raw).domain.root_domain == 'evitecdn.com'
11             )
12  ) >= 2
13  and length(filter(body.links,
14                         .href_url.domain.root_domain == "evite.com"
15                         and regex.contains(.href_url.path, '^/_ct/[a-f0-9]{40}/')
16                  )
17  ) < 3
18  and not (
19    (subject.is_forward or subject.is_reply)
20    and (length(headers.references) != 0 or headers.in_reply_to is not null)
21    and length(body.previous_threads) > 0
22  )
23  and not (
24    sender.email.domain.root_domain == "evite.com"
25    and headers.auth_summary.dmarc.pass
26  )  
27
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Impersonation: Brand"
32  - "Social engineering"
33detection_methods:
34  - "Content analysis"
35  - "Sender analysis"
36id: "9e867a2b-0175-5d8a-b22f-29bfb3ba6a60"