Brand impersonation: Robinhood
Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Robinhood"
2description: "Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 any(ml.nlu_classifier(body.current_thread.text).entities,
10 .name in ("org", "sender") and strings.icontains(.text, 'Robinhood')
11 )
12 and (
13 any(ml.nlu_classifier(body.current_thread.text).intents,
14 .name == "callback_scam" and .confidence != "low"
15 )
16 )
17 )
18 or strings.icontains(body.current_thread.text, 'The Robinhood Team')
19 or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood')
20 or regex.icontains(body.current_thread.text,
21 '(?:\+?\d{0,2}[\s\-\.]*)?(?:\(?888\)?)[\s\-\.]*344[\s\-\.]*3957'
22 )
23 or regex.icontains(body.current_thread.text,
24 'brokerage clearing (?:service|company|business)'
25 )
26 or regex.icontains(body.html.raw, 'new passkey was recently added')
27 or 2 of (
28 strings.icontains(body.current_thread.text, "Robinhood"),
29 regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'),
30 strings.icontains(body.current_thread.text, "Menlo Park, CA 97095")
31 )
32 or (
33 strings.icontains(sender.display_name, 'Robinhood')
34 and (
35 3 of (
36 regex.icontains(body.current_thread.text, 'Location:?'),
37 regex.icontains(body.current_thread.text, 'Time:'),
38 regex.icontains(body.current_thread.text, 'Device:?'),
39 regex.icontains(body.current_thread.text, 'IP Address:?'),
40 regex.icontains(body.current_thread.text, 'Date:'),
41 regex.icontains(body.current_thread.text, 'Region:?'),
42 regex.icontains(body.current_thread.text, 'App:?'),
43 regex.icontains(body.current_thread.text, 'Email ID:?')
44 )
45 or strings.icontains(body.current_thread.text, "new passkey added")
46 or strings.icontains(body.current_thread.text,
47 "Security support phone number"
48 )
49 )
50 )
51 or (
52 length(filter(body.links,
53 strings.icontains(.href_url.url,
54 'https://www.facebook.com/robinhood'
55 )
56 or strings.icontains(.href_url.url,
57 'https://twitter.com/robinhoodapp'
58 )
59 or strings.icontains(.href_url.url,
60 'https://www.youtube.com/@RobinhoodApp'
61 )
62 or strings.icontains(.href_url.url,
63 'https://www.instagram.com/robinhood'
64 )
65 )
66 ) >= 2
67 )
68 )
69 // negate legitimate replies and forwards
70 and (
71 (
72 (length(headers.references) > 0 or headers.in_reply_to is null)
73 and not (subject.is_reply or subject.is_forward)
74 )
75 or length(headers.references) == 0
76 )
77 // negate newsletters and webinars
78 and not any(ml.nlu_classifier(body.current_thread.text).topics,
79 .name in (
80 "Newsletters and Digests",
81 "Health and Wellness",
82 "Events and Webinars"
83 )
84 and .confidence == "high"
85 )
86 and not any(ml.nlu_classifier(body.current_thread.text).intents,
87 .name == "benign" and .confidence == "high"
88 )
89 and not (
90 sender.email.domain.root_domain in (
91 "robinhood.com",
92 "robinhood.org",
93 "duck.com", // unrelated domain
94 "robinhoodauctions.com", // unrelated domain
95 "bitstamp.net", // robinhood acquisition
96 "sinch.com" // unrelated domain
97 )
98 and coalesce(headers.auth_summary.dmarc.pass, false)
99 )
100attack_types:
101 - "Credential Phishing"
102tactics_and_techniques:
103 - "Impersonation: Brand"
104 - "Social engineering"
105detection_methods:
106 - "Content analysis"
107 - "Header analysis"
108 - "Sender analysis"
109 - "URL analysis"
110id: "7c8eca19-63ac-5cd3-a92b-4fb34b526683"