Impersonation: Legal firm with copyright infringement notice
Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands.
Sublime rule (View on GitHub)
1name: "Impersonation: Legal firm with copyright infringement notice"
2description: "Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.previous_threads) == 0
8 and length(body.current_thread.text) < 5000
9 and (
10 0 < length(body.links) < 10 or beta.scan_qr(file.message_screenshot()).found
11 )
12
13 // common strings in subject or base
14 and (
15 2 of (
16 strings.ilike(subject.base, '*Content*'),
17 strings.ilike(subject.base, '*Compliance*'),
18 strings.ilike(subject.base, '*Review*'),
19 strings.ilike(subject.base, '*Legal*'),
20 strings.ilike(subject.base, '*Formal*'),
21 strings.ilike(subject.base, '*LLP*'),
22 strings.ilike(subject.base, '*Unauthorized*'),
23 strings.ilike(subject.base, '*Trademark*'),
24 strings.ilike(subject.base, '*Law*'),
25 strings.ilike(subject.base, '*Enforcement*'),
26 strings.ilike(subject.base, '*Copyright*'),
27 strings.ilike(subject.base, '*Violat*'),
28 strings.ilike(subject.base, '*Intellectual*'),
29 strings.ilike(subject.base, '*Concerning*'),
30 strings.ilike(subject.base, '*Notice*'),
31 strings.ilike(subject.base, '*Licensing*'),
32 strings.ilike(subject.base, '*Clarification*'),
33 strings.ilike(subject.base, '*Matter*'),
34 strings.ilike(subject.base, '*Conflict*'),
35 strings.ilike(subject.base, '*Ownership*'),
36 strings.ilike(sender.display_name, '*Content*'),
37 strings.ilike(sender.display_name, '*Copyright*'),
38 strings.ilike(sender.display_name, '*Review*'),
39 strings.ilike(sender.display_name, '*Legal*'),
40 strings.ilike(sender.display_name, '*Investigation*'),
41 strings.ilike(sender.display_name, '*LLP*'),
42 strings.ilike(sender.display_name, '*Law*'),
43 strings.ilike(sender.display_name, '*Intellectual*'),
44 strings.ilike(sender.display_name, '*Notice*'),
45 strings.ilike(sender.display_name, '*Matter*'),
46 strings.ilike(sender.display_name, '*Dispute*'),
47 strings.ilike(sender.display_name, '*Resolution*'),
48 strings.ilike(sender.display_name, '*Advisory*'),
49 )
50 )
51
52 // common strings in email current thread
53 and 15 of (
54 strings.ilike(body.current_thread.text, '*copyright*'),
55 strings.ilike(body.current_thread.text, '*trademark*'),
56 strings.ilike(body.current_thread.text, '*inquiry*'),
57 strings.ilike(body.current_thread.text, '*online*'),
58 strings.ilike(body.current_thread.text, '*authorized*'),
59 strings.ilike(body.current_thread.text, '*legal*'),
60 strings.ilike(body.current_thread.text, '*represent*'),
61 strings.ilike(body.current_thread.text, '*lawful*'),
62 strings.ilike(body.current_thread.text, '*owner*'),
63 strings.ilike(body.current_thread.text, '*materials*'),
64 strings.ilike(body.current_thread.text, '*protected*'),
65 strings.ilike(body.current_thread.text, '*infring*'),
66 strings.ilike(body.current_thread.text, '*immediate*'),
67 strings.ilike(body.current_thread.text, '*cessation*'),
68 strings.ilike(body.current_thread.text, '*content*'),
69 strings.ilike(body.current_thread.text, '*referenced*'),
70 strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
71 strings.ilike(body.current_thread.text, '*constitutes*'),
72 strings.ilike(body.current_thread.text, '*authorization*'),
73 strings.ilike(body.current_thread.text, '*removal*'),
74 strings.ilike(body.current_thread.text, '*comply*'),
75 strings.ilike(body.current_thread.text, '*failure*'),
76 strings.ilike(body.current_thread.text, '*law firm*'),
77 strings.ilike(body.current_thread.text, '*LLP*'),
78 strings.ilike(body.current_thread.text, '*compliance*'),
79 strings.ilike(body.current_thread.text, '*cease*'),
80 strings.ilike(body.current_thread.text, '*protect*'),
81 strings.ilike(body.current_thread.text, '*rights*'),
82 strings.ilike(body.current_thread.text, '*penalty*'),
83 strings.ilike(body.current_thread.text, '*perjury*'),
84 strings.ilike(body.current_thread.text, '*holder*'),
85 strings.ilike(body.current_thread.text, '*declare*'),
86 strings.ilike(body.current_thread.text, '*sworn*'),
87 strings.ilike(body.current_thread.text, '*affidavit*'),
88 strings.ilike(body.current_thread.text, '*investigation*'),
89 strings.ilike(body.current_thread.text, '*identified*'),
90 strings.ilike(body.current_thread.text, '*reproduction*'),
91 strings.ilike(body.current_thread.text, '*license*'),
92 strings.ilike(body.current_thread.text, '*granted*'),
93 strings.ilike(body.current_thread.text, '*permitting*'),
94 strings.ilike(body.current_thread.text, '*evidence*'),
95 strings.ilike(body.current_thread.text, '*proceedings*'),
96 strings.ilike(body.current_thread.text, '*evidentiary*'),
97 strings.ilike(body.current_thread.text, '*remove*'),
98 strings.ilike(body.current_thread.text, '*suspend*'),
99 strings.ilike(body.current_thread.text, '*discontinue*'),
100 strings.ilike(body.current_thread.text, '*72 hours*'),
101 strings.ilike(body.current_thread.text, '*48 hours*'),
102 strings.ilike(body.current_thread.text, '*24 hours*'),
103 strings.ilike(body.current_thread.text, '*proof*'),
104 strings.ilike(body.current_thread.text, '*unresolved*'),
105 strings.ilike(body.current_thread.text, '*accordance*'),
106 strings.ilike(body.current_thread.text, '*procedures*'),
107 strings.ilike(body.current_thread.text, '*interests*'),
108 strings.ilike(body.current_thread.text, '*appeal*'),
109 strings.ilike(body.current_thread.text, '*clarification*'),
110 strings.ilike(body.current_thread.text, '*notice*'),
111 strings.ilike(body.current_thread.text, '*dissemination*'),
112 strings.ilike(body.current_thread.text, '*counter-notice*'),
113 strings.ilike(body.current_thread.text, '*exploitation*'),
114 strings.ilike(body.current_thread.text, '*remedial*'),
115 strings.ilike(body.current_thread.text, '*particulars*'),
116 strings.ilike(body.current_thread.text, '*fingerprint*'),
117 strings.ilike(body.current_thread.text, '*confidentiality*'),
118 strings.ilike(body.current_thread.text, '*assertion*'),
119 strings.ilike(body.current_thread.text, '*counsel*'),
120 strings.ilike(body.current_thread.text, '*privileged*'),
121 strings.ilike(body.current_thread.text, '*directive*'),
122 )
123
124 // remove phrase from legitimate complaint
125 and not regex.icontains(body.current_thread.text,
126 '(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
127 )
128
129 // not copyright reports
130 and not regex.icontains(body.current_thread.text,
131 '(?:confirmation|received).{0,100}copyright report'
132 )
133
134 // verified dmca receiving/sending address
135 and not any([recipients.cc, recipients.to, recipients.bcc],
136 any(.,
137 .email.email in (
138 'dmca@vimeo.com',
139 'dmca@support.epicgames.com',
140 'takedowns@doppel.com',
141 'ipenforcement@epicgames.com'
142 )
143 )
144 )
145 and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')
146attack_types:
147 - "BEC/Fraud"
148 - "Extortion"
149tactics_and_techniques:
150 - "Impersonation: Brand"
151 - "Social engineering"
152detection_methods:
153 - "Content analysis"
154 - "Header analysis"
155 - "Sender analysis"
156id: "85bf58f6-3891-56ea-ae0a-d88073ade20f"