Brand impersonation: Barracuda Networks

Impersonation of Barracuda Networks, an IT security company.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Barracuda Networks"
 2description: |
 3    Impersonation of Barracuda Networks, an IT security company.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*barracuda*')
10    or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
11    or strings.ilike(sender.email.domain.domain, '*barracuda*')
12  )
13  and sender.email.domain.root_domain not in (
14    'barracuda.com',
15    'barracudamsp.com',
16    'barracudanetworks.com',
17    'netsuite.com',
18  
19    // hockey team
20    'sharkssports.net',
21    'sjbarracuda.com',
22  
23    // Barracuda Barcatering
24    'barracuda-barcatering.de'
25  )
26  and (
27    profile.by_sender().prevalence in ("new", "outlier")
28    or (
29      profile.by_sender().any_messages_malicious_or_spam
30      and not profile.by_sender().any_false_positives
31    )
32  )  
33
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Impersonation: Brand"
38  - "Lookalike domain"
39  - "Social engineering"
40detection_methods:
41  - "Header analysis"
42  - "Sender analysis"
43id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"
to-top