Brand impersonation: Barracuda Networks

calendar Jul 8, 2024  ยท
Share on: linkedin copy

Impersonation of Barracuda Networks, an IT security company.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Barracuda Networks"
 2description: |
 3    Impersonation of Barracuda Networks, an IT security company.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*barracuda*')
10    or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
11    or strings.ilike(sender.email.domain.domain, '*barracuda*')
12  )
13  and sender.email.domain.root_domain not in (
14    'barracuda.com',
15    'barracudamsp.com',
16    'barracudanetworks.com',
17    'netsuite.com',
18  
19    // hockey team
20    'sharkssports.net',
21    'sjbarracuda.com',
22  
23    // Barracuda Barcatering
24    'barracuda-barcatering.de',
25    
26   // Barracuda Events Team
27    'worldspan.co.uk',
28  
29  // Barracudas Day Camps
30    'barracudas.co.uk'
31  )
32  and (
33    profile.by_sender().prevalence in ("new", "outlier")
34    or (
35      profile.by_sender().any_messages_malicious_or_spam
36      and not profile.by_sender().any_false_positives
37    )
38  )  
39
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Impersonation: Brand"
44  - "Lookalike domain"
45  - "Social engineering"
46detection_methods:
47  - "Header analysis"
48  - "Sender analysis"
49id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"
to-top