Brand Impersonation: TikTok

calendar Mar 31, 2025  ·
Share on: linkedin copy

Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: TikTok"
 2description: "Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains tiktok
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*')
11      // levenshtein distance similar to tiktok
12      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
13                              'tiktok'
14      ) <= 1
15      or any(ml.logo_detect(beta.message_screenshot()).brands,
16             .name == "TikTok" and .confidence == "high"
17      )
18    )
19  )
20  and (
21    any(beta.ml_topic(body.current_thread.text).topics,
22        .name in (
23          "Security and Authentication",
24          "Secure Message",
25          "Reminders and Notifications"
26        )
27        and .confidence in ("medium", "high")
28    )
29    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
30           .name in (
31             "Security and Authentication",
32             "Secure Message",
33             "Reminders and Notifications"
34           )
35           and .confidence in ("medium", "high")
36           and beta.ocr(beta.message_screenshot()).text != ""
37    )
38    or any(ml.nlu_classifier(body.current_thread.text).intents,
39           .name == "cred_theft" and .confidence == "high"
40    )
41    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
42           .name == "cred_theft" and .confidence == "high"
43    )
44  )
45  
46  // and the sender is not in org_domains or from tiktok domains and passes auth
47  and not (
48    sender.email.domain.root_domain in $org_domains
49    or (
50      sender.email.domain.root_domain in ("tiktok.com", "tiktokglobalshop.com", "bytedance.com")
51      and headers.auth_summary.dmarc.pass
52    )
53  )
54  // and the sender is not from high trust sender root domains
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )
62  and not profile.by_sender().solicited  
63
64attack_types:
65  - "Credential Phishing"
66tactics_and_techniques:
67  - "Impersonation: Brand"
68  - "Social engineering"
69detection_methods:
70  - "Computer Vision"
71  - "Content analysis"
72  - "Header analysis"
73  - "Natural Language Understanding"
74  - "Optical Character Recognition"
75  - "Sender analysis"
76id: "aaacc8b7-fbbd-596d-9268-d90b92bdfcd7"
to-top