Brand impersonation: Binance

calendar Sep 3, 2025 · Cryptocurrency  ·
Share on: linkedin copy

Impersonation of the cryptocurrency exchange Binance.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Binance"
 2description: |
 3    Impersonation of the cryptocurrency exchange Binance.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*binance*')
10    or strings.ilevenshtein(sender.display_name, 'binance') <= 1
11    or strings.ilike(sender.email.domain.domain, '*binance*')
12    or strings.ilike(subject.subject, '*binance*')
13  )
14  and sender.email.domain.root_domain not in~ (
15    'binance.com',
16    'binance.us',
17    'trustwallet.com',
18    'binance.charity'
19  )
20  and any(ml.nlu_classifier(body.current_thread.text).entities,
21          .text == "Binance"
22  )
23  and any(ml.nlu_classifier(body.current_thread.text).entities,
24          .name == "financial"
25  )
26  and (
27    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
28    or any(ml.nlu_classifier(body.current_thread.text).entities,
29           .name == "request"
30    )
31  )
32  and (
33    any(ml.nlu_classifier(body.current_thread.text).entities,
34        .text in~ ("withdrawal", "deposit")
35    )
36    or any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
37  )
38  and (
39    // if this comes from a free email provider,
40    // flag if org has never sent an email to sender's email before
41    (
42      sender.email.domain.root_domain in $free_email_providers
43      and sender.email.email not in $recipient_emails
44    )
45    // if this comes from a custom domain,
46    // flag if org has never sent an email to sender's domain before
47    or (
48      sender.email.domain.root_domain not in $free_email_providers
49      and sender.email.domain.domain not in $recipient_domains
50    )
51  )  
52tags:
53  - "Cryptocurrency"
54attack_types:
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Impersonation: Brand"
58  - "Lookalike domain"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "Header analysis"
63  - "HTML analysis"
64  - "Natural Language Understanding"
65  - "Sender analysis"
66id: "c3302a76-ff5f-5619-b806-2bfec382f588"

Related rules

to-top