Brand impersonation: Robinhood

calendar Mar 26, 2026  ·
Share on: linkedin copy

Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Robinhood"
 2description: "Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      any(ml.nlu_classifier(body.current_thread.text).entities,
10          .name in ("org", "sender") and strings.icontains(.text, 'Robinhood')
11      )
12      and (
13        any(ml.nlu_classifier(body.current_thread.text).intents,
14            .name == "callback_scam" and .confidence != "low"
15        )
16      )
17    )
18    or strings.icontains(body.current_thread.text, 'The Robinhood Team')
19    or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood')
20    or 2 of (
21      strings.icontains(body.current_thread.text, "Robinhood"),
22      regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'),
23      strings.icontains(body.current_thread.text, "Menlo Park, CA 97095")
24    )
25    or (
26      strings.icontains(sender.display_name, 'Robinhood')
27      and (
28        3 of (
29          regex.icontains(body.current_thread.text, 'Location:?'),
30          regex.icontains(body.current_thread.text, 'Time:'),
31          regex.icontains(body.current_thread.text, 'Device:?'),
32          regex.icontains(body.current_thread.text, 'IP Address:?')
33        )
34        or strings.icontains(body.current_thread.text, "new passkey added")
35      )
36    )
37    or (
38      length(filter(body.links,
39                    strings.icontains(.href_url.url,
40                                      'https://www.facebook.com/robinhood'
41                    )
42                    or strings.icontains(.href_url.url,
43                                         'https://twitter.com/robinhoodapp'
44                    )
45                    or strings.icontains(.href_url.url,
46                                         'https://www.youtube.com/@RobinhoodApp'
47                    )
48                    or strings.icontains(.href_url.url,
49                                         'https://www.instagram.com/robinhood'
50                    )
51             )
52      ) >= 2
53    )
54  )
55  // negate legitimate replies and forwards
56  and (
57    (
58      (
59        length(headers.references) > 0
60        or not any(headers.hops,
61                   any(.fields, strings.ilike(.name, "In-Reply-To"))
62        )
63      )
64      and not (subject.is_reply or subject.is_forward)
65    )
66    or length(headers.references) == 0
67  )
68  // negate newsletters and webinars
69  and not any(ml.nlu_classifier(body.current_thread.text).topics,
70              .name in ("Newsletters and Digests", "Events and Webinars")
71              and .confidence == "high"
72  )
73  and not (
74    sender.email.domain.root_domain in (
75      "robinhood.com",
76      "robinhood.org",
77      "duck.com", // unrelated domain
78      "robinhoodauctions.com", // unrelated domain
79      "bitstamp.net" // robinhood acquisition
80    )
81    and coalesce(headers.auth_summary.dmarc.pass, false)
82  )  
83
84attack_types:
85  - "Credential Phishing"
86tactics_and_techniques:
87  - "Impersonation: Brand"
88  - "Social engineering"
89detection_methods:
90  - "Content analysis"
91  - "Header analysis"
92  - "Sender analysis"
93  - "URL analysis"
94id: "7c8eca19-63ac-5cd3-a92b-4fb34b526683"
to-top