Brand Impersonation: Exodus

Attack impersonating Exodus Wallet.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Exodus"
 2description: |
 3    Attack impersonating Exodus Wallet.
 4references:
 5  - "https://exodus.com"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, "*exodus*")
12    or (
13      strings.ilike(sender.email.domain.root_domain, "*exodus*")
14      and network.whois(sender.email.domain).days_old <= 30
15    )
16  )
17  and sender.email.domain.root_domain not in ("exodus.com", "exodus.io", "exodusescaperoom.com")
18  and sender.email.email not in $recipient_emails
19  and (
20    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
21    or any(ml.nlu_classifier(body.current_thread.text).entities, .text == "wallet")
22  )  
23tags:
24  - "Cryptocurrency"
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Impersonation: Brand"
29  - "Social engineering"
30detection_methods:
31  - "Header analysis"
32  - "Natural Language Understanding"
33  - "Sender analysis"
34id: "40c77ecc-782d-595a-a042-7fe7e4d756ee"

Related rules

to-top