Brand Impersonation: Mailchimp

calendar May 5, 2025  ·
Share on: linkedin copy

Detects messages from senders impersonating Mailchimp through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Mailchimp"
 2description: "Detects messages from senders impersonating Mailchimp through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains Mailchimp
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*mailchimp*'
12      )
13      // levenshtein distance similar to Mailchimp
14      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
15                              'mailchimp'
16      ) <= 1
17      or any(ml.logo_detect(beta.message_screenshot()).brands,
18             .name == "Mailchimp" and .confidence == "high"
19      )
20    )
21  )
22  and (
23    any(beta.ml_topic(body.current_thread.text).topics,
24        .name in (
25          "Security and Authentication",
26          "Secure Message",
27          "Reminders and Notifications"
28        )
29        and .confidence in ("medium", "high")
30    )
31    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
32           .name in (
33             "Security and Authentication",
34             "Secure Message",
35             "Reminders and Notifications"
36           )
37           and .confidence in ("medium", "high")
38           and beta.ocr(beta.message_screenshot()).text != ""
39    )
40    or any(ml.nlu_classifier(body.current_thread.text).intents,
41           .name == "cred_theft" and .confidence == "high"
42    )
43    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
44           .name == "cred_theft" and .confidence == "high"
45    )
46  )
47  
48  // and the sender is not in org_domains or from Mailchimp domains and passes auth
49  and not (
50    sender.email.domain.root_domain in $org_domains
51    or (
52      sender.email.domain.root_domain in ("intuit.com", "mailchimp.com")
53      and headers.auth_summary.dmarc.pass
54    )
55  )
56  and not strings.ends_with(headers.message_id, ".mailchimp.com>")
57  // and the sender is not from high trust sender root domains
58  and (
59    (
60      sender.email.domain.root_domain in $high_trust_sender_root_domains
61      and not headers.auth_summary.dmarc.pass
62    )
63    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64  )
65  and not profile.by_sender().solicited
66    
67
68attack_types:
69  - "Credential Phishing"
70tactics_and_techniques:
71  - "Impersonation: Brand"
72  - "Social engineering"
73detection_methods:
74  - "Computer Vision"
75  - "Natural Language Understanding"
76  - "Content analysis"
77  - "Header analysis"
78  - "Sender analysis"
79id: "48b454c7-fcd7-54d4-b460-5dfec2c1a3e2"
to-top