Brand impersonation: SiriusXM

 1name: "Brand impersonation: SiriusXM"
 2description: "Impersonation of the broadcasting corporation SiriusXM."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(sender.display_name, '*siriusxm*')
 9    or strings.ilevenshtein(sender.display_name, 'siriusxm') <= 1
10    or strings.ilike(sender.email.domain.domain, '*siriusxm*')
11  )
12  and (
13    sender.email.domain.root_domain not in (
14      'siriusxm.com',
15      'siriusxmmedia.com',
16      'siriusxm.ca',
17      'engagement360.net', // SiriusXM survey vendor
18      'sciquest.com' // SiriusXM Procurement
19    )
20    or (
21      sender.email.domain.root_domain in (
22        'siriusxm.com',
23        'siriusxmmedia.com',
24        'siriusxm.ca',
25        'engagement360.net', // SiriusXM survey vendor
26        'sciquest.com' // SiriusXM Procurement
27      )
28      and not headers.auth_summary.dmarc.pass
29    )
30  )
31  and not profile.by_sender().solicited  
32attack_types:
33  - "Callback Phishing"
34  - "Credential Phishing"
35  - "Spam"
36tactics_and_techniques:
37  - "Free email provider"
38  - "Impersonation: Brand"
39  - "Social engineering"
40detection_methods:
41  - "Content analysis"
42  - "Header analysis"
43  - "Sender analysis"
44id: "70eb3792-cd7a-5369-b1c3-65a3b772de00"