Brand impersonation: Hulu

 1name: "Brand impersonation: Hulu"
 2description: "Impersonation of Hulu."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(sender.display_name, '*hulu*')
 9    or (
10      strings.ilevenshtein(sender.display_name, 'hulu') <= 1
11      and not (
12        // lulu.com is a self publisher
13        sender.display_name =~ "lulu"
14        and sender.email.domain.root_domain == "lulu.com"
15      )
16    )
17    or strings.ilike(sender.email.domain.domain, '*hulu*')
18    or (
19      (
20        length(recipients.to) == 0
21        or (
22          all(recipients.to, .email.domain.valid == false)
23          and all(recipients.cc, .email.domain.valid == false)
24        )
25      )
26      and any(ml.logo_detect(beta.message_screenshot()).brands,
27              .name == "Hulu" and .confidence in ("medium", "high")
28      )
29    )
30  )
31  and (
32    sender.email.domain.root_domain not in ('hulu.com', 'hulumail.com')
33    or (
34      sender.email.domain.root_domain in ('hulu.com', 'hulumail.com')
35      and not headers.auth_summary.dmarc.pass
36    )
37  )
38  and not profile.by_sender().solicited  
39attack_types:
40  - "Credential Phishing"
41  - "Spam"
42tactics_and_techniques:
43  - "Free email provider"
44  - "Impersonation: Brand"
45  - "Lookalike domain"
46  - "Social engineering"
47detection_methods:
48  - "Computer Vision"
49  - "Header analysis"
50  - "Sender analysis"
51id: "6833de58-23b6-5dea-b7c9-74e7287d8c13"