Brand impersonation: Vanguard

Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Vanguard"
  2description: "Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    // display name contains Vanguard
  9    (
 10      strings.ilike(strings.replace_confusables(sender.display_name),
 11                    '*vanguard*'
 12      )
 13      // levenshtein distance similar to Vanguard
 14      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 15                              'vanguard'
 16      ) <= 1
 17      // sender domain contains Vanguard
 18      or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
 19                       '*vanguard*'
 20      )
 21    )
 22  )
 23  and (
 24    (
 25      any(beta.ml_topic(body.current_thread.text).topics,
 26          .name in (
 27            "Security and Authentication",
 28            "Secure Message",
 29            "Financial Communications"
 30          )
 31          and .confidence == "high"
 32      )
 33      or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
 34             .name in (
 35               "Security and Authentication",
 36               "Secure Message",
 37               "Financial Communications"
 38             )
 39             and .confidence == "high"
 40      )
 41    )
 42    and (
 43      any(ml.nlu_classifier(body.current_thread.text).intents,
 44          .name == "cred_theft" and .confidence == "high"
 45      )
 46      or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
 47             .name == "cred_theft" and .confidence == "high"
 48      )
 49    )
 50  )
 51  
 52  // and the sender is not in org_domains or from Vanguard domains and passes auth
 53  and not (
 54    sender.email.domain.root_domain in $org_domains
 55    or (
 56      sender.email.domain.root_domain in (
 57        "vanguard.com",
 58        "vanguardcharitable.org", // philanthropic giving arm
 59        "vanguardmexico.com",
 60        "vanguardcanada.ca",
 61        "vanguard.co.uk",
 62        "vanguard.com.au",
 63        "vanguard.com.hk",
 64        "vanguardinvestor.co.uk",
 65        "vanguardretirement-mail.com",
 66        "e-vanguard.com",
 67        "e-vanguardcharitable.org",
 68        "feedback-vanguard.com",
 69        "m-vanguard.com",
 70        "investordelivery.com",
 71        "retsupport.com"
 72      )
 73      and headers.auth_summary.dmarc.pass
 74    )
 75    or (
 76      sender.display_name == "Vanguard Visa Law"
 77      and sender.email.domain.root_domain == "docketwise.com"
 78    )
 79  )
 80  // and the sender is not from high trust sender root domains
 81  and (
 82    (
 83      sender.email.domain.root_domain in $high_trust_sender_root_domains
 84      and not headers.auth_summary.dmarc.pass
 85    )
 86    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 87  )
 88  and not profile.by_sender().solicited  
 89
 90attack_types:
 91  - "BEC/Fraud"
 92  - "Callback Phishing"
 93  - "Credential Phishing"
 94  - "Extortion"
 95  - "Malware/Ransomware"
 96  - "Spam"
 97tactics_and_techniques:
 98  - "Impersonation: Brand"
 99detection_methods:
100  - "Natural Language Understanding"
101  - "Header analysis"
102  - "Sender analysis"
103id: "3bd048fe-5b3e-5050-b0d6-669653e14d9a"
to-top