Brand impersonation: Binance

 1name: "Brand impersonation: Binance"
 2description: |
 3    Impersonation of the cryptocurrency exchange Binance.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*binance*')
10    or strings.ilevenshtein(sender.display_name, 'binance') <= 1
11    or strings.ilike(sender.email.domain.domain, '*binance*')
12    or strings.ilike(subject.subject, '*binance*')
13  )
14  and sender.email.domain.root_domain not in~ ('binance.com', 'trustwallet.com', 'binance.charity')
15  and any(ml.nlu_classifier(body.current_thread.text).entities, .text == "Binance")
16  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
17  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
18  and (
19    any(ml.nlu_classifier(body.current_thread.text).entities, .text in~ ("withdrawal", "deposit"))
20    or any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
21  )
22  and (
23    // if this comes from a free email provider,
24    // flag if org has never sent an email to sender's email before
25    (
26      sender.email.domain.root_domain in $free_email_providers
27      and sender.email.email not in $recipient_emails
28    )
29    // if this comes from a custom domain,
30    // flag if org has never sent an email to sender's domain before
31    or (
32      sender.email.domain.root_domain not in $free_email_providers
33      and sender.email.domain.domain not in $recipient_domains
34    )
35  )  
36tags:
37  - "Cryptocurrency"
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Lookalike domain"
43  - "Social engineering"
44detection_methods:
45  - "Content analysis"
46  - "Header analysis"
47  - "HTML analysis"
48  - "Natural Language Understanding"
49  - "Sender analysis"
50id: "c3302a76-ff5f-5619-b806-2bfec382f588"