Brand impersonation: Barracuda Networks

calendar Aug 28, 2023  ยท
Share on: linkedin copy

Impersonation of Barracuda Networks, an IT security company.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Barracuda Networks"
 2description: |
 3    Impersonation of Barracuda Networks, an IT security company.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*barracuda*')
10    or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
11    or strings.ilike(sender.email.domain.domain, '*barracuda*')
12  )
13  and sender.email.domain.root_domain not in (
14    'barracuda.com',
15    'barracudamsp.com',
16    'barracudanetworks.com',
17    'netsuite.com',
18
19    // hockey team
20    'sharkssports.net',
21    'sjbarracuda.com'
22  )
23  // first-time sender
24  and (
25          (
26              sender.email.domain.root_domain in $free_email_providers
27              and sender.email.email not in $sender_emails
28          )
29          or (
30              sender.email.domain.root_domain not in $free_email_providers
31              and sender.email.domain.domain not in $sender_domains
32          )
33  )  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Impersonation: Brand"
38  - "Lookalike domain"
39  - "Social engineering"
40detection_methods:
41  - "Header analysis"
42  - "Sender analysis"
43id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"
to-top