Brand impersonation: Punchbowl

 1name: "Brand impersonation: Punchbowl"
 2description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Looking for Punchbowl phrasing in all body threads
 8  and (
 9    strings.icontains(body.current_thread.text, "punchbowl")
10    // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
11    or strings.icontains(body.html.raw, 'alt="Punchbowl"')
12    // image sourced from punchbowl
13    or any(html.xpath(body.html, '//img/@src').nodes,
14           strings.parse_url(.raw).domain.domain == "static.punchbowl.com"
15           and strings.icontains(strings.parse_url(.raw).path, '/invitation')
16    )
17  )
18
19  // Phrasing is typically "You're invited"
20  and (
21    strings.icontains(body.current_thread.text, "you're invited")
22    or any([
23             html.xpath(body.html,
24                        '//a//img[contains(@src, "btn_open_invitation")]'
25             ).nodes,
26             html.xpath(body.html,
27                        '//a//img[contains(@src, "btn_open_save_the_date")]'
28             ).nodes,
29           ],
30           any(.,
31               regex.icontains(.inner_text,
32                               '(?:open|save).{0,10}(?:invitation|the date)'
33               )
34           )
35    )
36  )
37  // Legitimate sender will be from punchbowl, negating known non-associated domains.
38  and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
39  // Capping length to limit FP's
40  and length(body.current_thread.text) < 1500  
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "Impersonation: Brand"
45  - "Social engineering"
46detection_methods:
47  - "Content analysis"
48  - "Sender analysis"
49id: "58937ba0-6966-559a-bd4f-759ee8b2979e"