Brand impersonation: Exodus

 1name: "Brand impersonation: Exodus"
 2description: |
 3    Attack impersonating Exodus Wallet.
 4references:
 5  - "https://exodus.com"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, "*exodus*")
12    or (
13      strings.ilike(sender.email.domain.root_domain, "*exodus*")
14      and network.whois(sender.email.domain).days_old <= 30
15    )
16  )
17  and sender.email.domain.root_domain not in (
18    "exodus.com",
19    "exodus.io",
20    "exodusescaperoom.com"
21  )
22  and sender.email.email not in $recipient_emails
23  and (
24    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
25    or any(ml.nlu_classifier(body.current_thread.text).entities,
26           .text == "wallet"
27    )
28  )  
29tags:
30  - "Cryptocurrency"
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Impersonation: Brand"
35  - "Social engineering"
36detection_methods:
37  - "Header analysis"
38  - "Natural Language Understanding"
39  - "Sender analysis"
40id: "40c77ecc-782d-595a-a042-7fe7e4d756ee"