Brand impersonation: Coinbase
Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials or related information.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Coinbase"
2description: |
3 Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials
4 or related information.
5references:
6 - "https://blog.coinbase.com/phishing-attacks-and-how-to-not-fall-victim-42b489d77199"
7type: "rule"
8severity: "high"
9source: |
10 type.inbound
11 and (
12 strings.ilike(strings.replace_confusables(sender.display_name), '*coinbase*')
13 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14 'coinbase'
15 ) <= 1
16 or strings.ilike(sender.email.domain.domain, '*coinbase*')
17 )
18 and not (
19 sender.email.domain.root_domain in (
20 'coinbase.com',
21 'q4inc.com',
22 'sendsafely.com' // used by Coinbase for verification codes
23 )
24 and headers.auth_summary.dmarc.pass
25 )
26 and (
27 // if this comes from a free email provider,
28 // flag if org has never sent an email to sender's email before
29 (
30 sender.email.domain.root_domain in $free_email_providers
31 and sender.email.email not in $recipient_emails
32 )
33 // if this comes from a custom domain,
34 // flag if org has never sent an email to sender's domain before
35 or (
36 sender.email.domain.root_domain not in $free_email_providers
37 and sender.email.domain.domain not in $recipient_domains
38 )
39 )
40
41 // negate highly trusted sender domains unless they fail DMARC authentication
42 and (
43 (
44 sender.email.domain.root_domain in $high_trust_sender_root_domains
45 and not headers.auth_summary.dmarc.pass
46 )
47 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48 )
49tags:
50 - "Cryptocurrency"
51attack_types:
52 - "Credential Phishing"
53tactics_and_techniques:
54 - "Impersonation: Brand"
55 - "Lookalike domain"
56 - "Social engineering"
57detection_methods:
58 - "Header analysis"
59 - "Sender analysis"
60id: "3dca757a-fb21-53c0-ac17-b0f110e8db60"