Brand impersonation: Hulu

Impersonation of Hulu.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Hulu"
 2description: "Impersonation of Hulu."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(sender.display_name, '*hulu*')
 9    or strings.ilevenshtein(sender.display_name, 'hulu') <= 1
10    or strings.ilike(sender.email.domain.domain, '*hulu*')
11    or (
12      (
13        length(recipients.to) == 0
14        or (
15          all(recipients.to, .email.domain.valid == false)
16          and all(recipients.cc, .email.domain.valid == false)
17        )
18      )
19      and any(ml.logo_detect(beta.message_screenshot()).brands,
20              .name == "Hulu" and .confidence in ("medium", "high")
21      )
22    )
23  )
24  and (
25    sender.email.domain.root_domain not in ('hulu.com', 'hulumail.com')
26    or (
27      sender.email.domain.root_domain in ('hulu.com', 'hulumail.com')
28      and not headers.auth_summary.dmarc.pass
29    )
30  )
31  and not profile.by_sender().solicited  
32
33attack_types:
34  - "Credential Phishing"
35  - "Spam"
36tactics_and_techniques:
37  - "Free email provider"
38  - "Impersonation: Brand"
39  - "Lookalike domain"
40  - "Social engineering"
41detection_methods:
42  - "Computer Vision"
43  - "Header analysis"
44  - "Sender analysis"
45id: "6833de58-23b6-5dea-b7c9-74e7287d8c13"
to-top