Brand impersonation: Toronto-Dominion Bank
Impersonation of TD Bank or TD Canada Trust using display name spoofing or logo detection, combined with suspicious content related to security authentication or credential theft from unauthorized senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Toronto-Dominion Bank"
2description: "Impersonation of TD Bank or TD Canada Trust using display name spoofing or logo detection, combined with suspicious content related to security authentication or credential theft from unauthorized senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains TD Bank
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name), '*TD Bank*')
11 or strings.ilike(strings.replace_confusables(sender.display_name),
12 '*TD Canada Trust*'
13 )
14 // levenshtein distance similar to TD bank
15 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
16 'TD Bank'
17 ) <= 1
18 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19 'TD Canada Trust'
20 ) <= 1
21 or any(ml.logo_detect(file.message_screenshot()).brands,
22 .name == "TD Bank" and .confidence == "high"
23 )
24 )
25 )
26 and (
27 (
28 any(ml.nlu_classifier(body.current_thread.text).topics,
29 .name in (
30 "Security and Authentication",
31 "Secure Message",
32 "Reminders and Notifications"
33 )
34 and .confidence in ("medium", "high")
35 )
36 and not any(ml.nlu_classifier(body.current_thread.text).topics,
37 .name in ("Newsletters and Digests", "Entertainment and Sports")
38 and .confidence in ("medium", "high")
39 )
40 )
41 or (
42 beta.ocr(file.message_screenshot()).text != ""
43 and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
44 .name in (
45 "Security and Authentication",
46 "Secure Message",
47 "Reminders and Notifications"
48 )
49 and .confidence in ("medium", "high")
50 )
51 and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
52 .name in ("Newsletters and Digests", "Entertainment and Sports")
53 and .confidence in ("medium", "high")
54 )
55 )
56 or any(ml.nlu_classifier(body.current_thread.text).intents,
57 .name == "cred_theft" and .confidence == "high"
58 )
59 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
60 .name == "cred_theft" and .confidence == "high"
61 )
62 )
63
64 // and the sender is not in org_domains or from TD domains and passes auth
65 and not (
66 sender.email.domain.root_domain in $org_domains
67 or (
68 sender.email.domain.root_domain in (
69 "td.com",
70 "tdbank.com",
71 "tdcanadatrust.com",
72 "tdameritrade.com",
73 "tdwaterhouse.ca",
74 "tdwaterhouse.com",
75 "tdassetmanagement.com",
76 "tdinsurance.com",
77 "tdautofinance.com",
78 "tdautofinance.ca",
79 "email-td.com",
80 "feedback-td.com",
81 "interac.ca"
82 )
83 and headers.auth_summary.dmarc.pass
84 )
85 )
86 // and the sender is not from high trust sender root domains
87 and (
88 (
89 sender.email.domain.root_domain in $high_trust_sender_root_domains
90 and not headers.auth_summary.dmarc.pass
91 )
92 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
93 )
94 and (
95 not profile.by_sender().solicited
96 or not headers.auth_summary.dmarc.pass
97 or not headers.auth_summary.spf.pass
98 )
99
100attack_types:
101 - "Credential Phishing"
102tactics_and_techniques:
103 - "Impersonation: Brand"
104 - "Social engineering"
105detection_methods:
106 - "Computer Vision"
107 - "Content analysis"
108 - "Header analysis"
109 - "Natural Language Understanding"
110 - "Optical Character Recognition"
111 - "Sender analysis"
112id: "2dc16a55-32c0-5731-85bd-08131aa535ab"