Brand impersonation: Toronto-Dominion Bank
Impersonation of TD Bank or TD Canada Trust using display name spoofing or logo detection, combined with suspicious content related to security authentication or credential theft from unauthorized senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Toronto-Dominion Bank"
2description: "Impersonation of TD Bank or TD Canada Trust using display name spoofing or logo detection, combined with suspicious content related to security authentication or credential theft from unauthorized senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains TD Bank
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name), '*TD Bank*')
11 or strings.ilike(strings.replace_confusables(sender.display_name),
12 '*TD Canada Trust*'
13 )
14 // levenshtein distance similar to TD bank
15 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
16 'TD Bank'
17 ) <= 1
18 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19 'TD Canada Trust'
20 ) <= 1
21 or any(ml.logo_detect(file.message_screenshot()).brands,
22 .name == "TD Bank" and .confidence == "high"
23 )
24 // TD Secure Email
25 or any([subject.base, sender.display_name], strings.ilike(., "*TD?Secure*"))
26 )
27 )
28 and (
29 (
30 any(ml.nlu_classifier(body.current_thread.text).topics,
31 .name in (
32 "Security and Authentication",
33 "Secure Message",
34 "Reminders and Notifications"
35 )
36 and .confidence in ("medium", "high")
37 )
38 and not any(ml.nlu_classifier(body.current_thread.text).topics,
39 .name in ("Newsletters and Digests", "Entertainment and Sports")
40 and .confidence in ("medium", "high")
41 )
42 )
43 or (
44 beta.ocr(file.message_screenshot()).text != ""
45 and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
46 .name in (
47 "Security and Authentication",
48 "Secure Message",
49 "Reminders and Notifications"
50 )
51 and .confidence in ("medium", "high")
52 )
53 and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
54 .name in ("Newsletters and Digests", "Entertainment and Sports")
55 and .confidence in ("medium", "high")
56 )
57 )
58 or any(ml.nlu_classifier(body.current_thread.text).intents,
59 .name == "cred_theft" and .confidence == "high"
60 )
61 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
62 .name == "cred_theft" and .confidence == "high"
63 )
64 )
65
66 // and the sender is not in org_domains or from TD domains and passes auth
67 and not (
68 sender.email.domain.root_domain in $org_domains
69 or (
70 sender.email.domain.root_domain in (
71 "td.com",
72 "tdbank.com",
73 "tdcanadatrust.com",
74 "tdameritrade.com",
75 "tdwaterhouse.ca",
76 "tdwaterhouse.com",
77 "tdassetmanagement.com",
78 "tdinsurance.com",
79 "tdautofinance.com",
80 "tdautofinance.ca",
81 "email-td.com",
82 "feedback-td.com",
83 "interac.ca"
84 )
85 and headers.auth_summary.dmarc.pass
86 )
87 )
88 // and the sender is not from high trust sender root domains
89 and (
90 (
91 sender.email.domain.root_domain in $high_trust_sender_root_domains
92 and not headers.auth_summary.dmarc.pass
93 )
94 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
95 )
96 and (
97 not profile.by_sender().solicited
98 or not headers.auth_summary.dmarc.pass
99 or not headers.auth_summary.spf.pass
100 )
101
102attack_types:
103 - "Credential Phishing"
104tactics_and_techniques:
105 - "Impersonation: Brand"
106 - "Social engineering"
107detection_methods:
108 - "Computer Vision"
109 - "Content analysis"
110 - "Header analysis"
111 - "Natural Language Understanding"
112 - "Optical Character Recognition"
113 - "Sender analysis"
114id: "2dc16a55-32c0-5731-85bd-08131aa535ab"