Brand impersonation: Morgan Stanley

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects messages impersonating Morgan Stanley that contain indicators of credential theft or callback scams, including references to secure email systems, client service centers, financial advisors, and registration processes. The rule identifies spoofed communications by checking for Morgan Stanley branding elements while excluding legitimate domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Morgan Stanley"
 2description: "Detects messages impersonating Morgan Stanley that contain indicators of credential theft or callback scams, including references to secure email systems, client service centers, financial advisors, and registration processes. The rule identifies spoofed communications by checking for Morgan Stanley branding elements while excluding legitimate domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(strings.replace_confusables(sender.display_name),
 9                  '*morgan stanley*',
10                  '*morganstanley*'
11    )
12    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
13                            'morgan stanley'
14    ) <= 2
15    or any(ml.nlu_classifier(body.current_thread.text).entities,
16           .name in ("org", "sender")
17           and strings.icontains(.text, 'Morgan Stanley')
18    )
19    or strings.icontains(body.current_thread.text,
20                         'secure.emailhelp@morganstanley.com'
21    )
22  )
23  and strings.icontains(body.current_thread.text, "Morgan Stanley")
24  and 3 of (
25    strings.icontains(body.current_thread.text, "Client Service Center"),
26    regex.icontains(body.current_thread.text,
27                    'Financial Advis?or\s*[|/]\s*(?:Portfolio\s+)?Manager'
28    ),
29    regex.icontains(body.current_thread.text, 'Secure (?:E-)?Mail'),
30    strings.icontains(body.current_thread.text, "Click here to view"),
31    strings.icontains(body.current_thread.text, "encrypted messages"),
32    strings.icontains(body.current_thread.text, "1-800-780-0256"),
33    strings.icontains(body.current_thread.text,
34                      "secure.emailhelp@morganstanley.com"
35    ),
36    regex.icontains(body.current_thread.text,
37                    'Morgan Stanley\s+(?:Smith Barney|Wealth Management|\w+\s+Team)'
38    ),
39    strings.icontains(body.current_thread.text, "one-time registration"),
40    strings.icontains(body.current_thread.text, "see payment activity"),
41    regex.icontains(body.current_thread.text,
42                    'link will expire on \d{4}-\d{2}-\d{2}'
43    ),
44    any(ml.nlu_classifier(body.current_thread.text).intents,
45        .name in ("cred_theft", "callback_scam") and .confidence == "high"
46    )
47  )
48  and not (
49    sender.email.domain.root_domain in ("docusign.net", "morganstanley.com", )
50    and coalesce(headers.auth_summary.dmarc.pass, false)
51  )
52  and not (
53    any(headers.hops,
54        any(.fields,
55            .name == "X-ProofpointSecure"
56            and strings.icontains(.value, "Encrypted")
57        )
58    )
59    and any(headers.domains, .root_domain == "pphosted.com")
60  )  
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Impersonation: Brand"
65  - "Social engineering"
66detection_methods:
67  - "Content analysis"
68  - "Natural Language Understanding"
69  - "Sender analysis"
70id: "3bb49b76-bf8f-598c-9854-7b8f3aadf3df"
to-top