Brand Impersonation: Gemini Trust Company
Detects messages impersonating Gemini Trust Company through analysis of footer content, social media links, and address verification, excluding legitimate communications from authenticated Gemini domains.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Gemini Trust Company"
2description: "Detects messages impersonating Gemini Trust Company through analysis of footer content, social media links, and address verification, excluding legitimate communications from authenticated Gemini domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // the address in the footer
9 (
10 regex.icontains(body.current_thread.text,
11 "600 Third Avenue.{1,2}2nd Floor.{1,2}New York, NY"
12 )
13 and strings.icontains(body.current_thread.text, "Gemini Trust Company")
14 )
15 // logo detect combined with sender display name
16 // need to be more specific here due to other uses of the word "Gemini"
17 or (
18 sender.display_name =~ "Gemini"
19 and any(ml.logo_detect(beta.message_screenshot()).brands,
20 .name == "Gemini Trust" and .confidence != "low"
21 )
22 )
23 // copyright footer
24 or strings.icontains(body.current_thread.text, '© 2025 Gemini Trust Company, LLC')
25
26 // the social links in the footer
27 or (
28 length(filter(body.links,
29 strings.icontains(.href_url.url,
30 'https://www.instagram.com/gemini/'
31 )
32 or strings.icontains(.href_url.url,
33 'https://www.linkedin.com/company/geminitrust/'
34 )
35 or strings.icontains(.href_url.url,
36 'https://facebook.com/GeminiTrust'
37 )
38 or strings.icontains(.href_url.url,
39 'https://twitter.com/Gemini'
40 )
41 or strings.icontains(.href_url.url,
42 'https://support.gemini.com/hc/en-us/requests/new'
43 )
44 or strings.icontains(.href_url.url,
45 'https://support.gemini.com/hc/en-us/requests/new'
46 )
47 )
48 ) >= 4
49 )
50 )
51 // not forwards/replies
52 and not (
53 length(headers.references) > 0
54 and (subject.is_forward or subject.is_reply)
55 and length(body.previous_threads) >= 1
56 )
57 // not from Gemini actual
58 and not (
59 sender.email.domain.root_domain in (
60 "gemini.com",
61 "niftygateway.com" // NFT market place owned by Gemini Trust Company
62 )
63 and headers.auth_summary.dmarc.pass
64 )
65attack_types:
66 - "Credential Phishing"
67tactics_and_techniques:
68 - "Impersonation: Brand"
69 - "Social engineering"
70detection_methods:
71 - "Content analysis"
72 - "URL analysis"
73 - "Sender analysis"
74 - "Header analysis"
75id: "99574c94-5095-5ec3-a63c-100fdd7dd414"