Brand impersonation: TikTok
Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: TikTok"
2description: "Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // TikTok Brand Detection
9 (
10 // display name contains tiktok
11 strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*')
12 // levenshtein distance similar to tiktok
13 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14 'tiktok'
15 ) <= 1
16 or (
17 length(ml.logo_detect(file.message_screenshot()).brands) == 1
18 and any(ml.logo_detect(file.message_screenshot()).brands,
19 .name == "TikTok" and .confidence == "high"
20 )
21 )
22 )
23 // OR TikTok verification language
24 or (
25 strings.icontains(body.current_thread.text, "tiktok")
26 and (
27 strings.icontains(body.current_thread.text, "verified badge")
28 or strings.icontains(body.current_thread.text, "verification criteria")
29 or strings.icontains(body.current_thread.text, "activate badge")
30 or strings.icontains(body.current_thread.text, "verification complete")
31 or strings.icontains(body.current_thread.text, "almost verified")
32 or strings.icontains(body.current_thread.text, "review complete")
33 )
34 )
35 )
36 and (
37 // ML Topic Analysis and Credential Theft Detection
38 any(beta.ml_topic(body.current_thread.text).topics,
39 .name in (
40 "Security and Authentication",
41 "Secure Message",
42 "Reminders and Notifications"
43 )
44 and .confidence in ("medium", "high")
45 )
46 or any(beta.ml_topic(beta.ocr(file.message_screenshot()).text).topics,
47 .name in (
48 "Security and Authentication",
49 "Secure Message",
50 "Reminders and Notifications"
51 )
52 and .confidence in ("medium", "high")
53 and beta.ocr(file.message_screenshot()).text != ""
54 )
55 or any(ml.nlu_classifier(body.current_thread.text).intents,
56 .name == "cred_theft" and .confidence == "high"
57 )
58 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
59 .name == "cred_theft" and .confidence == "high"
60 )
61 )
62 // Not from legitimate TikTok or Google domains with DMARC pass
63 and not (
64 sender.email.domain.root_domain in $org_domains
65 or (
66 sender.email.domain.root_domain in (
67 "tiktok.com",
68 "tiktokglobalshop.com",
69 "bytedance.com",
70 "tiktokacademy.com",
71 "webassessor.com" // used for this https://ads.tiktok.com/business/en-US/academy/tiktok-certification
72 )
73 and headers.auth_summary.dmarc.pass
74 )
75 )
76 // negate iCloud Private Message Relay
77 and not (
78 sender.email.domain.root_domain == "privaterelay.appleid.com"
79 or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
80 )
81 // negate highly trusted sender domains unless they fail DMARC authentication
82 and (
83 (
84 sender.email.domain.root_domain in $high_trust_sender_root_domains
85 and not headers.auth_summary.dmarc.pass
86 )
87 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
88 )
89 and not profile.by_sender().solicited
90
91attack_types:
92 - "Credential Phishing"
93tactics_and_techniques:
94 - "Impersonation: Brand"
95 - "Social engineering"
96detection_methods:
97 - "Computer Vision"
98 - "Content analysis"
99 - "Header analysis"
100 - "Natural Language Understanding"
101 - "Optical Character Recognition"
102 - "Sender analysis"
103id: "aaacc8b7-fbbd-596d-9268-d90b92bdfcd7"