Brand impersonation: Hulu
Impersonation of Hulu.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Hulu"
2description: "Impersonation of Hulu."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 regex.icontains(sender.display_name, '\bhulu\b')
9 or (
10 strings.ilevenshtein(sender.display_name, 'hulu') <= 1
11 and not (
12 // lulu.com is a self publisher
13 sender.display_name =~ "lulu"
14 and sender.email.domain.root_domain == "lulu.com"
15 )
16 and not (
17 // hudu.com is an IT documentation management platform
18 sender.display_name =~ "hudu"
19 and sender.email.domain.root_domain == "hudu.com"
20 )
21 )
22 or strings.ilike(sender.email.domain.domain, '*hulu*')
23 or (
24 (
25 length(recipients.to) == 0
26 or (
27 all(recipients.to, .email.domain.valid == false)
28 and all(recipients.cc, .email.domain.valid == false)
29 )
30 )
31 and any(ml.logo_detect(beta.message_screenshot()).brands,
32 .name == "Hulu" and .confidence in ("medium", "high")
33 )
34 )
35 )
36 and (
37 sender.email.domain.root_domain not in ('hulu.com', 'hulumail.com', 'hulu.jp', 'hulu-japan.jp')
38 or (
39 sender.email.domain.root_domain in ('hulu.com', 'hulumail.com', 'hulu.jp', 'hulu-japan.jp')
40 and not headers.auth_summary.dmarc.pass
41 )
42 )
43 and not profile.by_sender().solicited
44attack_types:
45 - "Credential Phishing"
46 - "Spam"
47tactics_and_techniques:
48 - "Free email provider"
49 - "Impersonation: Brand"
50 - "Lookalike domain"
51 - "Social engineering"
52detection_methods:
53 - "Computer Vision"
54 - "Header analysis"
55 - "Sender analysis"
56id: "6833de58-23b6-5dea-b7c9-74e7287d8c13"