Brand impersonation: Hulu
Impersonation of Hulu.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Hulu"
2description: "Impersonation of Hulu."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 strings.ilike(sender.display_name, '*hulu*')
9 or strings.ilevenshtein(sender.display_name, 'hulu') <= 1
10 or strings.ilike(sender.email.domain.domain, '*hulu*')
11 or (
12 (
13 length(recipients.to) == 0
14 or (
15 all(recipients.to, .email.domain.valid == false)
16 and all(recipients.cc, .email.domain.valid == false)
17 )
18 )
19 and any(ml.logo_detect(beta.message_screenshot()).brands,
20 .name == "Hulu" and .confidence in ("medium", "high")
21 )
22 )
23 )
24 and (
25 sender.email.domain.root_domain not in ('hulu.com', 'hulumail.com')
26 or (
27 sender.email.domain.root_domain in ('hulu.com', 'hulumail.com')
28 and not headers.auth_summary.dmarc.pass
29 )
30 )
31 and not profile.by_sender().solicited
32
33attack_types:
34 - "Credential Phishing"
35 - "Spam"
36tactics_and_techniques:
37 - "Free email provider"
38 - "Impersonation: Brand"
39 - "Lookalike domain"
40 - "Social engineering"
41detection_methods:
42 - "Computer Vision"
43 - "Header analysis"
44 - "Sender analysis"
45id: "6833de58-23b6-5dea-b7c9-74e7287d8c13"