Brand impersonation: Wix

Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Wix"
 2description: "Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      regex.icontains(sender.display_name, '^WIX\b')
10      or strings.ilike(sender.email.domain.domain, 'WIX')
11    )
12    or (
13      strings.icontains(sender.display_name, 'wix')
14      and strings.icontains(body.current_thread.text, "Domain Expiration Notice")
15      and strings.icontains(body.current_thread.text, "will be deactivated")
16    )
17  )
18  and not (
19    (
20      sender.email.domain.root_domain in~ (
21        "wix.com",
22        "wixforms.com",
23        "wixemails.com",
24        "wixanswers.com",
25        "wix-groups.com"
26      )
27      and headers.auth_summary.dmarc.pass
28    )
29  )
30  and not profile.by_sender().solicited
31  // negate highly trusted sender domains unless they fail DMARC authentication
32  and (
33    (
34      sender.email.domain.root_domain in $high_trust_sender_root_domains
35      and not headers.auth_summary.dmarc.pass
36    )
37    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38  )  
39
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Impersonation: Brand"
44  - "Lookalike domain"
45  - "Social engineering"
46detection_methods:
47  - "Header analysis"
48  - "Sender analysis"
49id: "45e7b99f-94fc-5ae4-b5c9-ebfb59b04fe9"
to-top