Brand impersonation: TikTok

Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: TikTok"
  2description: "Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    // TikTok Brand Detection 
  9    (
 10      // display name contains tiktok
 11      strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*')
 12      // levenshtein distance similar to tiktok
 13      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 14                              'tiktok'
 15      ) <= 1
 16      or (
 17        length(ml.logo_detect(beta.message_screenshot()).brands) == 1
 18        and any(ml.logo_detect(beta.message_screenshot()).brands,
 19                .name == "TikTok" and .confidence == "high"
 20        )
 21      )
 22    )
 23    // OR TikTok verification language
 24    or (
 25      strings.icontains(body.current_thread.text, "tiktok")
 26      and (
 27        strings.icontains(body.current_thread.text, "verified badge")
 28        or strings.icontains(body.current_thread.text, "verification criteria")
 29        or strings.icontains(body.current_thread.text, "activate badge")
 30        or strings.icontains(body.current_thread.text, "verification complete")
 31        or strings.icontains(body.current_thread.text, "almost verified")
 32        or strings.icontains(body.current_thread.text, "review complete")
 33      )
 34    )
 35  )
 36  and (
 37    // ML Topic Analysis and Credential Theft Detection
 38    any(beta.ml_topic(body.current_thread.text).topics,
 39        .name in (
 40          "Security and Authentication",
 41          "Secure Message",
 42          "Reminders and Notifications"
 43        )
 44        and .confidence in ("medium", "high")
 45    )
 46    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
 47           .name in (
 48             "Security and Authentication",
 49             "Secure Message",
 50             "Reminders and Notifications"
 51           )
 52           and .confidence in ("medium", "high")
 53           and beta.ocr(beta.message_screenshot()).text != ""
 54    )
 55    or any(ml.nlu_classifier(body.current_thread.text).intents,
 56           .name == "cred_theft" and .confidence == "high"
 57    )
 58    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
 59           .name == "cred_theft" and .confidence == "high"
 60    )
 61  )
 62  // Not from legitimate TikTok or Google domains with DMARC pass
 63  and not (
 64    sender.email.domain.root_domain in $org_domains
 65    or (
 66      sender.email.domain.root_domain in (
 67        "tiktok.com",
 68        "tiktokglobalshop.com",
 69        "bytedance.com",
 70        "tiktokacademy.com",
 71        "webassessor.com" // used for this https://ads.tiktok.com/business/en-US/academy/tiktok-certification
 72      )
 73      and headers.auth_summary.dmarc.pass
 74    )
 75  )
 76  // negate iCloud Private Message Relay
 77  and not (
 78    sender.email.domain.root_domain == "privaterelay.appleid.com"
 79    or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
 80  )
 81  // negate highly trusted sender domains unless they fail DMARC authentication
 82  and (
 83    (
 84      sender.email.domain.root_domain in $high_trust_sender_root_domains
 85      and not headers.auth_summary.dmarc.pass
 86    )
 87    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 88  )
 89  and not profile.by_sender().solicited  
 90
 91attack_types:
 92  - "Credential Phishing"
 93tactics_and_techniques:
 94  - "Impersonation: Brand"
 95  - "Social engineering"
 96detection_methods:
 97  - "Computer Vision"
 98  - "Content analysis"
 99  - "Header analysis"
100  - "Natural Language Understanding"
101  - "Optical Character Recognition"
102  - "Sender analysis"
103id: "aaacc8b7-fbbd-596d-9268-d90b92bdfcd7"
to-top