Brand impersonation: Punchbowl
Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Punchbowl"
2description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // Looking for Punchbowl phrasing in all body threads
8 and (
9 strings.icontains(body.current_thread.text, "punchbowl")
10 // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
11 or strings.icontains(body.html.raw, 'alt="Punchbowl"')
12 // image sourced from punchbowl
13 or any(html.xpath(body.html, '//img/@src').nodes,
14 strings.parse_url(.raw).domain.domain == "static.punchbowl.com"
15 and strings.icontains(strings.parse_url(.raw).path, '/invitation')
16 )
17 )
18 // Phrasing is typically "You're invited"
19 and (
20 strings.icontains(body.current_thread.text, "you're invited")
21 //
22 // This rule makes use of a beta feature and is subject to change without notice
23 // using the beta feature in custom rules is not suggested until it has been formally released
24 //
25 or (
26 strings.icontains(beta.ocr(file.message_screenshot()).text,
27 "you're invited",
28 "open me"
29 )
30 and regex.icontains(body.current_thread.text, 'don.t want .{1,40}\?')
31 )
32 or any([
33 html.xpath(body.html,
34 '//a//img[contains(@src, "btn_open_invitation")]'
35 ).nodes,
36 html.xpath(body.html,
37 '//a//img[contains(@src, "btn_open_save_the_date")]'
38 ).nodes,
39 ],
40 any(.,
41 regex.icontains(.inner_text,
42 '(?:open|save).{0,10}(?:invitation|the date)'
43 )
44 )
45 )
46 )
47 // Legitimate sender will be from punchbowl, negating known non-associated domains.
48 and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
49 // Capping length to limit FP's
50 and length(body.current_thread.text) < 1500
51attack_types:
52 - "Credential Phishing"
53tactics_and_techniques:
54 - "Impersonation: Brand"
55 - "Social engineering"
56detection_methods:
57 - "Content analysis"
58 - "Sender analysis"
59id: "58937ba0-6966-559a-bd4f-759ee8b2979e"