Brand impersonation: Hulu

 1name: "Brand impersonation: Hulu"
 2description: "Impersonation of Hulu."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\bhulu\b')
 9    or (
10      strings.ilevenshtein(sender.display_name, 'hulu') <= 1
11      and not (
12        // lulu.com is a self publisher
13        sender.display_name =~ "lulu"
14        and sender.email.domain.root_domain == "lulu.com"
15      )
16      and not (
17        // hudu.com is an IT documentation management platform
18        sender.display_name =~ "hudu"
19        and sender.email.domain.root_domain == "hudu.com"
20      )
21    )
22    or strings.ilike(sender.email.domain.domain, '*hulu*')
23    or (
24      (
25        length(recipients.to) == 0
26        or (
27          all(recipients.to, .email.domain.valid == false)
28          and all(recipients.cc, .email.domain.valid == false)
29        )
30      )
31      and any(ml.logo_detect(beta.message_screenshot()).brands,
32              .name == "Hulu" and .confidence in ("medium", "high")
33      )
34    )
35  )
36  and (
37    sender.email.domain.root_domain not in ('hulu.com', 'hulumail.com', 'hulu.jp', 'hulu-japan.jp')
38    or (
39      sender.email.domain.root_domain in ('hulu.com', 'hulumail.com', 'hulu.jp', 'hulu-japan.jp')
40      and not headers.auth_summary.dmarc.pass
41    )
42  )
43  and not profile.by_sender().solicited  
44attack_types:
45  - "Credential Phishing"
46  - "Spam"
47tactics_and_techniques:
48  - "Free email provider"
49  - "Impersonation: Brand"
50  - "Lookalike domain"
51  - "Social engineering"
52detection_methods:
53  - "Computer Vision"
54  - "Header analysis"
55  - "Sender analysis"
56id: "6833de58-23b6-5dea-b7c9-74e7287d8c13"