Brand impersonation: Apple
Impersonation of Apple.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Apple"
2description: |
3 Impersonation of Apple.
4references:
5 - "https://www.computerworld.com/article/3538470/how-to-protect-against-apple-phishing-scams.html"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 sender.display_name =~ 'apple developer'
12 or strings.ilevenshtein(sender.display_name, 'apple developer') <= 2
13 )
14 and sender.email.domain.root_domain !~ 'apple.com'
15 and sender.email.email not in $recipient_emails
16attack_types:
17 - "Credential Phishing"
18tactics_and_techniques:
19 - "Impersonation: Brand"
20 - "Social engineering"
21detection_methods:
22 - "Header analysis"
23 - "Sender analysis"
24id: "0b17f2c2-e100-5d51-b53e-ee3da0431f1d"