Brand impersonation: Wix

Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Wix"
 2description: "Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      regex.icontains(sender.display_name, '^WIX\b')
10      or strings.ilike(sender.email.domain.domain, 'WIX')
11    )
12    or (
13      strings.icontains(sender.display_name, 'wix')
14      and regex.icontains(body.current_thread.text,
15                          "Domain Expir(?:ation|y) Not(?:ice|ification)"
16      )
17      and strings.icontains(body.current_thread.text, "will be deactivated")
18    )
19    or regex.icontains(sender.display_name, 'w\x{206E}+i\x{206E}+x')
20    // Wix address from footer
21    or 2 of (
22      strings.icontains(body.current_thread.text, 'Wix.com'),
23      strings.icontains(body.current_thread.text, '100 Gansevoort St'),
24      strings.icontains(body.current_thread.text, 'New York, NY 10014')
25    )
26    or (
27      any(ml.nlu_classifier(body.current_thread.text).entities,
28          .name in ("sender", "org") and regex.icontains(.text, '^wix\b')
29      )
30      and any(ml.nlu_classifier(body.current_thread.text).intents,
31              .name == "cred_theft" and .confidence != "low"
32      )
33    )
34  )
35  and not (
36    (
37      sender.email.domain.root_domain in~ (
38        "wix.com",
39        "wixforms.com",
40        "wixemails.com",
41        "wixanswers.com",
42        "wix-groups.com",
43        "ascendbywix.com"
44      )
45      and headers.auth_summary.dmarc.pass
46    )
47  )
48  // negation for messages traversing wix.com
49  and not (
50    any(headers.domains, .root_domain in ("wix.com", "ascendbywix.com"))
51    and headers.auth_summary.spf.pass
52    and headers.auth_summary.dmarc.pass
53  )
54  and not profile.by_sender().solicited
55  // negate highly trusted sender domains unless they fail DMARC authentication
56  and (
57    (
58      sender.email.domain.root_domain in $high_trust_sender_root_domains
59      and not headers.auth_summary.dmarc.pass
60    )
61    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62  )  
63
64attack_types:
65  - "Credential Phishing"
66tactics_and_techniques:
67  - "Impersonation: Brand"
68  - "Lookalike domain"
69  - "Social engineering"
70detection_methods:
71  - "Header analysis"
72  - "Sender analysis"
73id: "45e7b99f-94fc-5ae4-b5c9-ebfb59b04fe9"
to-top