Brand impersonation: Chase Bank
Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Chase Bank"
2description: |
3 Impersonation of Chase Bank and related services to harvest credentials or related information
4 such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license
5 numbers, selfies, and ID card photos.
6references:
7 - "https://cyware.com/news/new-phishing-scam-impersonating-chase-bank-asks-for-sensitive-data-including-selfies-53065228"
8type: "rule"
9severity: "high"
10source: |
11 type.inbound
12 and (
13 strings.ilike(sender.display_name,
14 '*chase sapphire*',
15 '*chase card services*',
16 '*united mileageplus*',
17 "echase*",
18 "*freedom unlimited*"
19 )
20 or strings.ilevenshtein(sender.display_name, 'chase sapphire') <= 2
21 or strings.ilevenshtein(sender.display_name, 'chase card services') <= 2
22 or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
23 or (
24 (
25 strings.ilevenshtein(sender.display_name, 'echase') <= 1
26 or (
27 strings.icontains(sender.display_name, "bank")
28 and strings.icontains(subject.base, "chase bank")
29 )
30 )
31 // Negate Chase sender display name if cred theft, callback phishing, and a Chase logo isn't detected
32 and not (
33 strings.icontains(sender.display_name, 'chase')
34 and not (
35 any(ml.nlu_classifier(body.current_thread.text).intents,
36 .name == "cred_theft" and .confidence in ("medium", "high")
37 )
38 or any(ml.nlu_classifier(body.current_thread.text).intents,
39 .name == "callback_scam" and .confidence in ("medium", "high")
40 )
41 or any(ml.logo_detect(file.message_screenshot()).brands,
42 strings.starts_with(.name, "Chase")
43 )
44 )
45 )
46 )
47 or regex.icontains(body.current_thread.text,
48 '(Chase|J\.?\s?P\.?\sMorgan)\s(Privacy|Treasury)\sOperations|(Privacy|Treasury)\sOperations\s(Chase|J\.?\s?P\.?\sMorgan)'
49 )
50 )
51 and not (
52 sender.display_name is not null and sender.display_name in~ ("chaser", "case")
53 )
54 and sender.email.domain.root_domain not in~ (
55 'chase.com',
56 'united.com',
57 'transunion.com',
58 'shopping-chase.com',
59 'chasetravel.com',
60 'chaseoffers.com'
61 )
62
63 // negate highly trusted sender domains unless they fail DMARC authentication
64 and (
65 (
66 sender.email.domain.root_domain in $high_trust_sender_root_domains
67 and not headers.auth_summary.dmarc.pass
68 )
69 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
70 )
71attack_types:
72 - "Credential Phishing"
73tactics_and_techniques:
74 - "Impersonation: Brand"
75 - "Lookalike domain"
76 - "Social engineering"
77detection_methods:
78 - "Header analysis"
79 - "Sender analysis"
80id: "c680f1e7-01b9-5b95-897b-65957f4a57aa"