Impersonation: Legal firm with copyright infringement notice

Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands.

Sublime rule (View on GitHub)

  1name: "Impersonation: Legal firm with copyright infringement notice"
  2description: "Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(body.previous_threads) == 0
  8  and length(body.current_thread.text) < 5000
  9  and (
 10    0 < length(body.links) < 10 or beta.scan_qr(file.message_screenshot()).found
 11  )
 12  
 13  // common strings in subject or base
 14  and (
 15    2 of (
 16      strings.ilike(subject.base, '*Content*'),
 17      strings.ilike(subject.base, '*Compliance*'),
 18      strings.ilike(subject.base, '*Review*'),
 19      strings.ilike(subject.base, '*Legal*'),
 20      strings.ilike(subject.base, '*Formal*'),
 21      strings.ilike(subject.base, '*LLP*'),
 22      strings.ilike(subject.base, '*Unauthorized*'),
 23      strings.ilike(subject.base, '*Trademark*'),
 24      strings.ilike(subject.base, '*Law*'),
 25      strings.ilike(subject.base, '*Enforcement*'),
 26      strings.ilike(subject.base, '*Copyright*'),
 27      strings.ilike(subject.base, '*Violat*'),
 28      strings.ilike(subject.base, '*Intellectual*'),
 29      strings.ilike(subject.base, '*Concerning*'),
 30      strings.ilike(subject.base, '*Notice*'),
 31      strings.ilike(subject.base, '*Licensing*'),
 32      strings.ilike(subject.base, '*Clarification*'),
 33      strings.ilike(subject.base, '*Matter*'),
 34      strings.ilike(subject.base, '*Conflict*'),
 35      strings.ilike(subject.base, '*Ownership*'),
 36      strings.ilike(sender.display_name, '*Content*'),
 37      strings.ilike(sender.display_name, '*Copyright*'),
 38      strings.ilike(sender.display_name, '*Review*'),
 39      strings.ilike(sender.display_name, '*Legal*'),
 40      strings.ilike(sender.display_name, '*Investigation*'),
 41      strings.ilike(sender.display_name, '*LLP*'),
 42      strings.ilike(sender.display_name, '*Law*'),
 43      strings.ilike(sender.display_name, '*Intellectual*'),
 44      strings.ilike(sender.display_name, '*Notice*'),
 45      strings.ilike(sender.display_name, '*Matter*'),
 46      strings.ilike(sender.display_name, '*Dispute*'),
 47      strings.ilike(sender.display_name, '*Resolution*'),
 48      strings.ilike(sender.display_name, '*Advisory*'),
 49    )
 50  )
 51  
 52  // common strings in email current thread
 53  and 15 of (
 54    strings.ilike(body.current_thread.text, '*copyright*'),
 55    strings.ilike(body.current_thread.text, '*trademark*'),
 56    strings.ilike(body.current_thread.text, '*inquiry*'),
 57    strings.ilike(body.current_thread.text, '*online*'),
 58    strings.ilike(body.current_thread.text, '*authorized*'),
 59    strings.ilike(body.current_thread.text, '*legal*'),
 60    strings.ilike(body.current_thread.text, '*represent*'),
 61    strings.ilike(body.current_thread.text, '*lawful*'),
 62    strings.ilike(body.current_thread.text, '*owner*'),
 63    strings.ilike(body.current_thread.text, '*materials*'),
 64    strings.ilike(body.current_thread.text, '*protected*'),
 65    strings.ilike(body.current_thread.text, '*infring*'),
 66    strings.ilike(body.current_thread.text, '*immediate*'),
 67    strings.ilike(body.current_thread.text, '*cessation*'),
 68    strings.ilike(body.current_thread.text, '*content*'),
 69    strings.ilike(body.current_thread.text, '*referenced*'),
 70    strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
 71    strings.ilike(body.current_thread.text, '*constitutes*'),
 72    strings.ilike(body.current_thread.text, '*authorization*'),
 73    strings.ilike(body.current_thread.text, '*removal*'),
 74    strings.ilike(body.current_thread.text, '*comply*'),
 75    strings.ilike(body.current_thread.text, '*failure*'),
 76    strings.ilike(body.current_thread.text, '*law firm*'),
 77    strings.ilike(body.current_thread.text, '*LLP*'),
 78    strings.ilike(body.current_thread.text, '*compliance*'),
 79    strings.ilike(body.current_thread.text, '*cease*'),
 80    strings.ilike(body.current_thread.text, '*protect*'),
 81    strings.ilike(body.current_thread.text, '*rights*'),
 82    strings.ilike(body.current_thread.text, '*penalty*'),
 83    strings.ilike(body.current_thread.text, '*perjury*'),
 84    strings.ilike(body.current_thread.text, '*holder*'),
 85    strings.ilike(body.current_thread.text, '*declare*'),
 86    strings.ilike(body.current_thread.text, '*sworn*'),
 87    strings.ilike(body.current_thread.text, '*affidavit*'),
 88    strings.ilike(body.current_thread.text, '*investigation*'),
 89    strings.ilike(body.current_thread.text, '*identified*'),
 90    strings.ilike(body.current_thread.text, '*reproduction*'),
 91    strings.ilike(body.current_thread.text, '*license*'),
 92    strings.ilike(body.current_thread.text, '*granted*'),
 93    strings.ilike(body.current_thread.text, '*permitting*'),
 94    strings.ilike(body.current_thread.text, '*evidence*'),
 95    strings.ilike(body.current_thread.text, '*proceedings*'),
 96    strings.ilike(body.current_thread.text, '*evidentiary*'),
 97    strings.ilike(body.current_thread.text, '*remove*'),
 98    strings.ilike(body.current_thread.text, '*suspend*'),
 99    strings.ilike(body.current_thread.text, '*discontinue*'),
100    strings.ilike(body.current_thread.text, '*72 hours*'),
101    strings.ilike(body.current_thread.text, '*48 hours*'),
102    strings.ilike(body.current_thread.text, '*24 hours*'),
103    strings.ilike(body.current_thread.text, '*proof*'),
104    strings.ilike(body.current_thread.text, '*unresolved*'),
105    strings.ilike(body.current_thread.text, '*accordance*'),
106    strings.ilike(body.current_thread.text, '*procedures*'),
107    strings.ilike(body.current_thread.text, '*interests*'),
108    strings.ilike(body.current_thread.text, '*appeal*'),
109    strings.ilike(body.current_thread.text, '*clarification*'),
110    strings.ilike(body.current_thread.text, '*notice*'),
111    strings.ilike(body.current_thread.text, '*dissemination*'),
112    strings.ilike(body.current_thread.text, '*counter-notice*'),
113    strings.ilike(body.current_thread.text, '*exploitation*'),
114    strings.ilike(body.current_thread.text, '*remedial*'),
115    strings.ilike(body.current_thread.text, '*particulars*'),
116    strings.ilike(body.current_thread.text, '*fingerprint*'),
117    strings.ilike(body.current_thread.text, '*confidentiality*'),
118    strings.ilike(body.current_thread.text, '*assertion*'),
119    strings.ilike(body.current_thread.text, '*counsel*'),
120    strings.ilike(body.current_thread.text, '*privileged*'),
121    strings.ilike(body.current_thread.text, '*directive*'),
122  )
123  
124  // remove phrase from legitimate complaint
125  and not regex.icontains(body.current_thread.text,
126                          '(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
127  )
128  
129  // not copyright reports
130  and not regex.icontains(body.current_thread.text,
131                          '(?:confirmation|received).{0,100}copyright report'
132  )
133  
134  // verified dmca receiving/sending address
135  and not any([recipients.cc, recipients.to, recipients.bcc],
136              any(.,
137                  .email.email in (
138                    'dmca@vimeo.com',
139                    'dmca@support.epicgames.com',
140                    'takedowns@doppel.com',
141                    'ipenforcement@epicgames.com'
142                  )
143              )
144  )
145  and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')  
146attack_types:
147  - "BEC/Fraud"
148  - "Extortion"
149tactics_and_techniques:
150  - "Impersonation: Brand"
151  - "Social engineering"
152detection_methods:
153  - "Content analysis"
154  - "Header analysis"
155  - "Sender analysis"
156id: "85bf58f6-3891-56ea-ae0a-d88073ade20f"
to-top