Brand Impersonation: Gemini Trust Company

Detects messages impersonating Gemini Trust Company through analysis of footer content, social media links, and address verification, excluding legitimate communications from authenticated Gemini domains.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Gemini Trust Company"
 2description: "Detects messages impersonating Gemini Trust Company through analysis of footer content, social media links, and address verification, excluding legitimate communications from authenticated Gemini domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // the address in the footer
 9    (
10      regex.icontains(body.current_thread.text,
11                      "600 Third Avenue.{1,2}2nd Floor.{1,2}New York, NY"
12      )
13      and strings.icontains(body.current_thread.text, "Gemini Trust Company")
14    )
15    // logo detect combined with sender display name 
16    // need to be more specific here due to other uses of the word "Gemini"
17    or (
18      sender.display_name =~ "Gemini"
19      and any(ml.logo_detect(beta.message_screenshot()).brands,
20              .name == "Gemini Trust" and .confidence != "low"
21      )
22    )
23    // copyright footer
24    or strings.icontains(body.current_thread.text, '© 2025 Gemini Trust Company, LLC')
25  
26    // the social links in the footer
27    or (
28      length(filter(body.links,
29                    strings.icontains(.href_url.url,
30                                      'https://www.instagram.com/gemini/'
31                    )
32                    or strings.icontains(.href_url.url,
33                                         'https://www.linkedin.com/company/geminitrust/'
34                    )
35                    or strings.icontains(.href_url.url,
36                                         'https://facebook.com/GeminiTrust'
37                    )
38                    or strings.icontains(.href_url.url,
39                                         'https://twitter.com/Gemini'
40                    )
41                    or strings.icontains(.href_url.url,
42                                         'https://support.gemini.com/hc/en-us/requests/new'
43                    )
44                    or strings.icontains(.href_url.url,
45                                         'https://support.gemini.com/hc/en-us/requests/new'
46                    )
47             )
48      ) >= 4
49    )
50  )
51  // not forwards/replies
52  and not (
53    length(headers.references) > 0
54    and (subject.is_forward or subject.is_reply)
55    and length(body.previous_threads) >= 1
56  )
57  // not from Gemini actual
58  and not (
59    sender.email.domain.root_domain in (
60      "gemini.com", 
61      "niftygateway.com" // NFT market place owned by Gemini Trust Company
62    )
63    and headers.auth_summary.dmarc.pass
64  )  
65attack_types:
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Impersonation: Brand"
69  - "Social engineering"
70detection_methods:
71  - "Content analysis"
72  - "URL analysis"
73  - "Sender analysis"
74  - "Header analysis"
75id: "99574c94-5095-5ec3-a63c-100fdd7dd414"
to-top