Brand impersonation: SiriusXM
Impersonation of the broadcasting corporation SiriusXM.
Sublime rule (View on GitHub)
1name: "Brand impersonation: SiriusXM"
2description: "Impersonation of the broadcasting corporation SiriusXM."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 strings.ilike(sender.display_name, '*siriusxm*')
9 or strings.ilevenshtein(sender.display_name, 'siriusxm') <= 1
10 or strings.ilike(sender.email.domain.domain, '*siriusxm*')
11 )
12 and (
13 sender.email.domain.root_domain not in (
14 'siriusxm.com',
15 'siriusxmmedia.com',
16 'siriusxm.ca',
17 'engagement360.net', // SiriusXM survey vendor
18 'sciquest.com' // SiriusXM Procurement
19 )
20 or (
21 sender.email.domain.root_domain in (
22 'siriusxm.com',
23 'siriusxmmedia.com',
24 'siriusxm.ca',
25 'engagement360.net', // SiriusXM survey vendor
26 'sciquest.com' // SiriusXM Procurement
27 )
28 and not headers.auth_summary.dmarc.pass
29 )
30 )
31 and not profile.by_sender().solicited
32attack_types:
33 - "Callback Phishing"
34 - "Credential Phishing"
35 - "Spam"
36tactics_and_techniques:
37 - "Free email provider"
38 - "Impersonation: Brand"
39 - "Social engineering"
40detection_methods:
41 - "Content analysis"
42 - "Header analysis"
43 - "Sender analysis"
44id: "70eb3792-cd7a-5369-b1c3-65a3b772de00"