Brand Impersonation: Trust Wallet

 1name: "Brand Impersonation: Trust Wallet"
 2description: "Detects inbound messages containing links where the sender impersonates Trust Wallet through display name manipulation and suspicious language, while not being from legitimate Trust Wallet domains. The rule checks for credential theft patterns and validates sender authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) > 0
 8  and (
 9    regex.icontains(strings.replace_confusables(sender.display_name),
10                    '\btrust wa[li1]{2}et\b'
11    )
12    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
13                            'trust wallet'
14    ) <= 2
15  )
16  and (
17    any(ml.nlu_classifier(body.current_thread.text).intents,
18        .name in ("cred_theft", "callback_scam", "steal_pii", "extortion")
19        and .confidence in ("high")
20    )
21  )
22  and sender.email.domain.root_domain not in~ ('trustwallet.com')
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )
32  and not profile.by_sender().any_false_positives  
33
34attack_types:
35  - "BEC/Fraud"
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Impersonation: Brand"
39  - "Social engineering"
40detection_methods:
41  - "Natural Language Understanding"
42  - "Sender analysis"
43  - "Header analysis"
44id: "e456974c-a62d-590a-b0d7-f659c9f60c8c"