Brand impersonation: Chase Bank
Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Chase Bank"
2description: |
3 Impersonation of Chase Bank and related services to harvest credentials or related information
4 such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license
5 numbers, selfies, and ID card photos.
6references:
7 - "https://cyware.com/news/new-phishing-scam-impersonating-chase-bank-asks-for-sensitive-data-including-selfies-53065228"
8type: "rule"
9severity: "high"
10source: |
11 type.inbound
12 and (
13 strings.ilike(sender.display_name,
14 '*chase sapphire*',
15 '*chase card services*',
16 '*united mileageplus*',
17 "echase*"
18 )
19 or strings.ilevenshtein(sender.display_name, 'chase sapphire') <= 2
20 or strings.ilevenshtein(sender.display_name, 'chase card services') <= 2
21 or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
22 or strings.ilevenshtein(sender.display_name, 'echase') <= 1
23 )
24 and sender.display_name not in~ ("chaser", "case")
25 and sender.email.domain.root_domain not in~ ('chase.com', 'united.com', 'transunion.com', 'shopping-chase.com')
26 and (
27 profile.by_sender().prevalence in ("new", "outlier")
28 or (
29 profile.by_sender().any_messages_malicious_or_spam
30 and not profile.by_sender().any_false_positives
31 )
32 )
33
34 // negate highly trusted sender domains unless they fail DMARC authentication
35 and (
36 (
37 sender.email.domain.root_domain in $high_trust_sender_root_domains
38 and not headers.auth_summary.dmarc.pass
39 )
40 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
41 )
42 // and not solicited
43 and not profile.by_sender().solicited
44attack_types:
45 - "Credential Phishing"
46tactics_and_techniques:
47 - "Impersonation: Brand"
48 - "Lookalike domain"
49 - "Social engineering"
50detection_methods:
51 - "Header analysis"
52 - "Sender analysis"
53id: "c680f1e7-01b9-5b95-897b-65957f4a57aa"