Brand impersonation: Punchbowl

Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Punchbowl"
 2description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Looking for Punchbowl phrasing in all body threads
 8  and (
 9    strings.icontains(body.current_thread.text, "punchbowl")
10    // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
11    or strings.icontains(body.html.raw, 'alt="Punchbowl"')
12    // image sourced from punchbowl
13    or any(html.xpath(body.html, '//img/@src').nodes,
14           strings.parse_url(.raw).domain.domain == "static.punchbowl.com"
15           and strings.icontains(strings.parse_url(.raw).path, '/invitation')
16    )
17  )
18  // Phrasing is typically "You're invited"
19  and (
20    strings.icontains(body.current_thread.text, "you're invited")
21    //
22    // This rule makes use of a beta feature and is subject to change without notice
23    // using the beta feature in custom rules is not suggested until it has been formally released
24    //
25    or (
26      strings.icontains(beta.ocr(file.message_screenshot()).text,
27                        "you're invited",
28                        "open me"
29      )
30      and regex.icontains(body.current_thread.text, 'don.t want .{1,40}\?')
31    )
32    or any([
33             html.xpath(body.html,
34                        '//a//img[contains(@src, "btn_open_invitation")]'
35             ).nodes,
36             html.xpath(body.html,
37                        '//a//img[contains(@src, "btn_open_save_the_date")]'
38             ).nodes,
39           ],
40           any(.,
41               regex.icontains(.inner_text,
42                               '(?:open|save).{0,10}(?:invitation|the date)'
43               )
44           )
45    )
46  )
47  // Legitimate sender will be from punchbowl, negating known non-associated domains.
48  and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
49  // Capping length to limit FP's
50  and length(body.current_thread.text) < 1500  
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Social engineering"
56detection_methods:
57  - "Content analysis"
58  - "Sender analysis"
59id: "58937ba0-6966-559a-bd4f-759ee8b2979e"
to-top