Brand impersonation: AuthentiSign
Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: AuthentiSign"
2description: "Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and strings.icontains(body.current_thread.text, "authentisign")
8 and (
9 regex.icontains(body.current_thread.text, 'signing (?:name|party)')
10 or strings.ilike(sender.display_name, '*authentisign*')
11 or strings.ilevenshtein(sender.display_name, 'authentisign') <= 1
12 or strings.ilike(sender.email.domain.domain, '*authentisign*')
13 )
14 and (
15 sender.email.domain.root_domain != "authentisign.com"
16 or (
17 sender.email.domain.root_domain == "authentisign.com"
18 and not (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
19 )
20 )
21
22attack_types:
23 - "Credential Phishing"
24 - "BEC/Fraud"
25tactics_and_techniques:
26 - "Impersonation: Brand"
27 - "Lookalike domain"
28 - "Social engineering"
29detection_methods:
30 - "Content analysis"
31 - "Header analysis"
32 - "Sender analysis"
33id: "445a8c8b-cd38-5161-bf56-2eab83419e24"