Brand impersonation: Barracuda Networks
Impersonation of Barracuda Networks, an IT security company.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Barracuda Networks"
2description: |
3 Impersonation of Barracuda Networks, an IT security company.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 strings.ilike(sender.display_name, '*barracuda*')
10 or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
11 or strings.ilike(sender.email.domain.domain, '*barracuda*')
12 )
13 and sender.email.domain.root_domain not in (
14 'barracuda.com',
15 'barracudamsp.com',
16 'barracudanetworks.com',
17 'netsuite.com',
18
19 // hockey team
20 'sharkssports.net',
21 'sjbarracuda.com',
22
23 // Barracuda Barcatering
24 'barracuda-barcatering.de',
25
26 // Barracuda Events Team
27 'worldspan.co.uk',
28
29 // Barracudas Day Camps
30 'barracudas.co.uk',
31
32 // BarracudaShoes
33 'barracudashoes.it'
34 )
35
36 and (
37 profile.by_sender().prevalence in ("new", "outlier")
38 or (
39 profile.by_sender().any_messages_malicious_or_spam
40 and not profile.by_sender().any_messages_benign
41 )
42 )
43
44attack_types:
45 - "Credential Phishing"
46tactics_and_techniques:
47 - "Impersonation: Brand"
48 - "Lookalike domain"
49 - "Social engineering"
50detection_methods:
51 - "Header analysis"
52 - "Sender analysis"
53id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"