Brand Impersonation: WeTransfer

calendar Mar 12, 2025  ·
Share on: linkedin copy

Detects messages claiming to be from WeTransfer that contain suspicious indicators, including misspelled domains, non-standard TLDs, suspicious file reference numbers, and French language variations. Excludes legitimate WeTransfer traffic with valid DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: WeTransfer"
 2description: "Detects messages claiming to be from WeTransfer that contain suspicious indicators, including misspelled domains, non-standard TLDs, suspicious file reference numbers, and French language variations. Excludes legitimate WeTransfer traffic with valid DMARC authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and 2 of (
 8    (
 9      strings.ilike(sender.display_name, '*wetransfer*')
10      or strings.ilike(sender.display_name, '*we transfer*')
11      or strings.ilevenshtein(sender.display_name, "wetransfer") <= 1
12    ),
13  
14    // Check for misspelled wetransfer domains in sender email
15    regex.icontains(sender.email.email, 'nore?pl[a@]y@wetransfer'),
16  
17    // Check for non-legitimate TLDs (.fr or others)
18    regex.icontains(sender.email.domain.root_domain, 'wetransfer\\.[a-z]{2,4}$'),
19  
20    // Suspicious subject patterns
21    regex.icontains(subject.subject,
22                    '(?:Documents?|Files?) (?:Received|Sent) (?:via)? WeTransfer'
23    ),
24  
25    // Check for file reference numbers which are common in phishing
26    regex.icontains(subject.subject,
27                    'WeTransfer \[(?:File No\.|)\s*:\s*[0-9-]+\s*\]'
28    ),
29  
30    // French language patterns
31    regex.icontains(subject.subject, 'vous a envoy[ée] .{1,30} par WeTransfer'),
32    regex.icontains(subject.subject, "T[ÉE]L[ÉE]CHARGEZ VOTRE FICHIER"),
33    regex.icontains(body.current_thread.text, 'transfert expirera'),
34    regex.icontains(body.current_thread.text,
35                    "fichiers n'aient pas encore été téléchargés"
36    ),
37    any(body.links,
38        strings.ilike(.display_text, '*wetransfer*')
39        and .href_url.domain.root_domain not in~ ('wetransfer.com', 'we.tl')
40    ),
41    any(body.links,
42        (
43          .href_url.domain.root_domain in $free_file_hosts
44          and .href_url.domain.root_domain not in~ ('wetransfer.com', 'we.tl')
45        )
46        or network.whois(.href_url.domain).days_old < 30
47        or .href_url.domain.tld in $suspicious_tlds
48    )
49  )
50  and not (
51    sender.email.domain.root_domain in ("wetransfer.com", "we.tl")
52    and headers.auth_summary.dmarc.pass
53  )
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )
62  and (
63    not profile.by_sender().solicited
64    or (
65      profile.by_sender().any_messages_malicious_or_spam
66      and not profile.by_sender().any_false_positives
67    )
68  )
69  and not profile.by_sender().any_false_positives  
70
71attack_types:
72  - "BEC/Fraud"
73  - "Callback Phishing"
74  - "Credential Phishing"
75  - "Extortion"
76  - "Malware/Ransomware"
77  - "Spam"
78tactics_and_techniques:
79  - "Impersonation: Brand"
80detection_methods:
81  - "Content analysis"
82  - "Header analysis"
83  - "Sender analysis"
84id: "e37885ad-1099-58f9-a428-0910c666d119"
to-top