Brand impersonation: Interac

 1name: "Brand impersonation: Interac"
 2description: "Impersonation of the Canadian interbanking network Interac. Seen in the wild impersonating carbon tax rebates and tax return refunds."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(sender.display_name, '*interac e-transfer*')
 9    or strings.ilike(sender.display_name, "*interac e?trasfer*")
10    or strings.ilike(subject.subject, '*interac e-transfer*')
11    or strings.ilevenshtein(sender.display_name, 'interac e-transfer') <= 2
12  )
13  and sender.email.domain.root_domain not in ('interac.ca')
14  and 1 of (
15    any(ml.nlu_classifier(body.current_thread.text).entities,
16        .name == "org" and strings.icontains(.text, "interac")
17    ),
18    any(ml.nlu_classifier(body.current_thread.text).entities,
19        .name == "financial"
20    ),
21  )
22  and not profile.by_sender().solicited
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )
32    
33
34attack_types:
35  - "BEC/Fraud"
36tactics_and_techniques:
37  - "Impersonation: Brand"
38  - "Lookalike domain"
39  - "Social engineering"
40detection_methods:
41  - "Content analysis"
42  - "Header analysis"
43  - "Natural Language Understanding"
44  - "Sender analysis"
45id: "50a883dc-a2f8-56d7-ad91-a8397e4ab941"