Brand impersonation: Barracuda Networks

 1name: "Brand impersonation: Barracuda Networks"
 2description: |
 3    Impersonation of Barracuda Networks, an IT security company.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*barracuda*')
10    or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
11    or strings.ilike(sender.email.domain.domain, '*barracuda*')
12  )
13  and sender.email.domain.root_domain not in (
14    'barracuda.com',
15    'barracudamsp.com',
16    'barracudanetworks.com',
17    'netsuite.com',
18  
19    // hockey team
20    'sharkssports.net',
21    'sjbarracuda.com',
22  
23    // Barracuda Barcatering
24    'barracuda-barcatering.de',
25    
26   // Barracuda Events Team
27    'worldspan.co.uk',
28  
29  // Barracudas Day Camps
30    'barracudas.co.uk',
31  
32    // BarracudaShoes
33    'barracudashoes.it'
34  )
35
36  and (
37    profile.by_sender().prevalence in ("new", "outlier")
38    or (
39      profile.by_sender().any_messages_malicious_or_spam
40      and not profile.by_sender().any_messages_benign
41    )
42  )  
43
44attack_types:
45  - "Credential Phishing"
46tactics_and_techniques:
47  - "Impersonation: Brand"
48  - "Lookalike domain"
49  - "Social engineering"
50detection_methods:
51  - "Header analysis"
52  - "Sender analysis"
53id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"