Brand impersonation: Punchbowl

 1name: "Brand impersonation: Punchbowl"
 2description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Looking for Punchbowl phrasing in all body threads
 8  and (
 9    strings.icontains(body.current_thread.text, "punchbowl")
10    // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
11    or strings.icontains(body.html.raw, 'alt="Punchbowl"')
12  )
13  // Phrasing is typically "You're invited"
14  and (
15    strings.icontains(body.current_thread.text, "you're invited")
16    or any([
17             html.xpath(body.html,
18                        '//a//img[contains(@src, "btn_open_invitation")]'
19             ).nodes,
20             html.xpath(body.html,
21                        '//a//img[contains(@src, "btn_open_save_the_date")]'
22             ).nodes,
23           ],
24           any(.,
25               regex.icontains(.inner_text,
26                               '(?:open|save).{0,10}(?:invitation|the date)'
27               )
28           )
29    )
30  )
31  // Legitimate sender will be from punchbowl, negating known non-associated domains.
32  and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
33  // Capping length to limit FP's
34  and length(body.current_thread.text) < 1500  
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Impersonation: Brand"
39  - "Social engineering"
40detection_methods:
41  - "Content analysis"
42  - "Sender analysis"
43id: "58937ba0-6966-559a-bd4f-759ee8b2979e"