Brand impersonation: Barracuda Networks

 1name: "Brand impersonation: Barracuda Networks"
 2description: |
 3    Impersonation of Barracuda Networks, an IT security company.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*barracuda*')
10    or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
11    or strings.ilike(sender.email.domain.domain, '*barracuda*')
12  )
13  and sender.email.domain.root_domain not in (
14    'barracuda.com',
15    'barracudamsp.com',
16    'barracudanetworks.com',
17    'netsuite.com',
18  
19    // hockey team
20    'sharkssports.net',
21    'sjbarracuda.com',
22  
23    // Barracuda Barcatering
24    'barracuda-barcatering.de',
25  
26    // Barracuda Events Team
27    'worldspan.co.uk',
28  
29    // Barracudas Day Camps
30    'barracudas.co.uk',
31  
32    // BarracudaShoes
33    'barracudashoes.it'
34  )
35  and (
36    profile.by_sender().prevalence in ("new", "outlier")
37    or (
38      profile.by_sender().any_messages_malicious_or_spam
39      and not profile.by_sender().any_messages_benign
40    )
41  )  
42attack_types:
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Impersonation: Brand"
46  - "Lookalike domain"
47  - "Social engineering"
48detection_methods:
49  - "Header analysis"
50  - "Sender analysis"
51id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"