Brand impersonation: Coinbase
Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials or related information.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Coinbase"
2description: |
3 Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials
4 or related information.
5references:
6 - "https://blog.coinbase.com/phishing-attacks-and-how-to-not-fall-victim-42b489d77199"
7type: "rule"
8severity: "high"
9source: |
10 type.inbound
11 and (
12 strings.ilike(strings.replace_confusables(sender.display_name), '*coinbase*')
13 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14 'coinbase'
15 ) <= 1
16 or strings.ilike(sender.email.domain.domain, '*coinbase*')
17 )
18 and sender.email.domain.root_domain not in~ ('coinbase.com', 'q4inc.com')
19 and (
20 // if this comes from a free email provider,
21 // flag if org has never sent an email to sender's email before
22 (
23 sender.email.domain.root_domain in $free_email_providers
24 and sender.email.email not in $recipient_emails
25 )
26 // if this comes from a custom domain,
27 // flag if org has never sent an email to sender's domain before
28 or (
29 sender.email.domain.root_domain not in $free_email_providers
30 and sender.email.domain.domain not in $recipient_domains
31 )
32 )
33
34 // negate highly trusted sender domains unless they fail DMARC authentication
35 and (
36 (
37 sender.email.domain.root_domain in $high_trust_sender_root_domains
38 and not headers.auth_summary.dmarc.pass
39 )
40 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
41 )
42tags:
43 - "Cryptocurrency"
44attack_types:
45 - "Credential Phishing"
46tactics_and_techniques:
47 - "Impersonation: Brand"
48 - "Lookalike domain"
49 - "Social engineering"
50detection_methods:
51 - "Header analysis"
52 - "Sender analysis"
53id: "3dca757a-fb21-53c0-ac17-b0f110e8db60"