Brand Impersonation: SiriusXM

calendar Oct 25, 2024  ยท
Share on: linkedin copy

Impersonation of the broadcasting corporation SiriusXM.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: SiriusXM"
 2description: "Impersonation of the broadcasting corporation SiriusXM."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(sender.display_name, '*siriusxm*')
 9    or strings.ilevenshtein(sender.display_name, 'siriusxm') <= 1
10    or strings.ilike(sender.email.domain.domain, '*siriusxm*')
11  )
12  and (
13    sender.email.domain.root_domain not in ('siriusxm.com', 'siriusxmmedia.com', 'siriusxm.ca')
14    or (
15      sender.email.domain.root_domain in ('siriusxm.com', 'siriusxmmedia.com', 'siriusxm.ca')
16      and not headers.auth_summary.dmarc.pass
17    )
18  )
19  and not profile.by_sender().solicited  
20attack_types:
21  - "Callback Phishing"
22  - "Credential Phishing"
23  - "Spam"
24tactics_and_techniques:
25  - "Free email provider"
26  - "Impersonation: Brand"
27  - "Social engineering"
28detection_methods:
29  - "Content analysis"
30  - "Header analysis"
31  - "Sender analysis"
32id: "70eb3792-cd7a-5369-b1c3-65a3b772de00"
to-top