Brand impersonation: TikTok
Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: TikTok"
2description: "Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // TikTok Brand Detection
9 (
10 // display name contains tiktok
11 strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*')
12 // levenshtein distance similar to tiktok
13 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14 'tiktok'
15 ) <= 1
16 or (
17 length(ml.logo_detect(file.message_screenshot()).brands) == 1
18 and any(ml.logo_detect(file.message_screenshot()).brands,
19 .name == "TikTok" and .confidence == "high"
20 )
21 )
22 // hyphenated sender domain contains tiktok
23 or strings.iends_with(sender.email.domain.root_domain, "-tiktok.com")
24 )
25 // OR TikTok verification language
26 or (
27 strings.icontains(body.current_thread.text, "tiktok")
28 and (
29 strings.icontains(body.current_thread.text, "verified badge")
30 or strings.icontains(body.current_thread.text, "verification criteria")
31 or strings.icontains(body.current_thread.text, "activate badge")
32 or strings.icontains(body.current_thread.text, "verification complete")
33 or strings.icontains(body.current_thread.text, "almost verified")
34 or strings.icontains(body.current_thread.text, "review complete")
35 or strings.icontains(body.current_thread.text, "verify profile")
36 )
37 )
38 )
39 and (
40 // ML Topic Analysis and Credential Theft Detection
41 any(ml.nlu_classifier(body.current_thread.text).topics,
42 .name in (
43 "Security and Authentication",
44 "Secure Message",
45 "Reminders and Notifications"
46 )
47 and .confidence in ("medium", "high")
48 )
49 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
50 .name in (
51 "Security and Authentication",
52 "Secure Message",
53 "Reminders and Notifications"
54 )
55 and .confidence in ("medium", "high")
56 and beta.ocr(file.message_screenshot()).text != ""
57 )
58 or any(ml.nlu_classifier(body.current_thread.text).intents,
59 .name == "cred_theft" and .confidence == "high"
60 )
61 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
62 .name == "cred_theft" and .confidence == "high"
63 )
64 )
65 // Not from legitimate TikTok or Google domains with DMARC pass
66 and not (
67 sender.email.domain.root_domain in $org_domains
68 or (
69 sender.email.domain.root_domain in (
70 "tiktok.com",
71 "tiktokglobalshop.com",
72 "tiktokusds.com",
73 "bytedance.com",
74 "tiktokacademy.com",
75 "webassessor.com" // used for this https://ads.tiktok.com/business/en-US/academy/tiktok-certification
76 )
77 and headers.auth_summary.dmarc.pass
78 )
79 )
80 // negate iCloud Private Message Relay
81 and not (
82 sender.email.domain.root_domain == "privaterelay.appleid.com"
83 or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
84 )
85 // negate highly trusted sender domains unless they fail DMARC authentication
86 and (
87 (
88 sender.email.domain.root_domain in $high_trust_sender_root_domains
89 and not headers.auth_summary.dmarc.pass
90 )
91 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
92 )
93 and not profile.by_sender().solicited
94
95attack_types:
96 - "Credential Phishing"
97tactics_and_techniques:
98 - "Impersonation: Brand"
99 - "Social engineering"
100detection_methods:
101 - "Computer Vision"
102 - "Content analysis"
103 - "Header analysis"
104 - "Natural Language Understanding"
105 - "Optical Character Recognition"
106 - "Sender analysis"
107id: "aaacc8b7-fbbd-596d-9268-d90b92bdfcd7"