Brand impersonation: Hulu

 1name: "Brand impersonation: Hulu"
 2description: "Impersonation of Hulu."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\bhulu\b')
 9    or (
10      strings.ilevenshtein(sender.display_name, 'hulu') <= 1
11      and not (
12        // lulu.com is a self publisher
13        sender.display_name =~ "lulu"
14        and sender.email.domain.root_domain == "lulu.com"
15      )
16      and not (
17        // hudu.com is an IT documentation management platform
18        sender.display_name =~ "hudu"
19        and sender.email.domain.root_domain == "hudu.com"
20      )
21    )
22    or strings.ilike(sender.email.domain.domain, '*hulu*')
23    or (
24      (
25        length(recipients.to) == 0
26        or (
27          all(recipients.to, .email.domain.valid == false)
28          and all(recipients.cc, .email.domain.valid == false)
29        )
30      )
31      and any(ml.logo_detect(file.message_screenshot()).brands,
32              .name == "Hulu" and .confidence in ("medium", "high")
33      )
34    )
35  )
36  and (
37    sender.email.domain.root_domain not in (
38      'hulu.com',
39      'hulumail.com',
40      'hulu.jp',
41      'hulu-japan.jp'
42    )
43    or (
44      sender.email.domain.root_domain in (
45        'hulu.com',
46        'hulumail.com',
47        'hulu.jp',
48        'hulu-japan.jp'
49      )
50      and not headers.auth_summary.dmarc.pass
51    )
52  )
53  and not profile.by_sender().solicited  
54attack_types:
55  - "Credential Phishing"
56  - "Spam"
57tactics_and_techniques:
58  - "Free email provider"
59  - "Impersonation: Brand"
60  - "Lookalike domain"
61  - "Social engineering"
62detection_methods:
63  - "Computer Vision"
64  - "Header analysis"
65  - "Sender analysis"
66id: "6833de58-23b6-5dea-b7c9-74e7287d8c13"