Impersonation: Legal firm with copyright infringement notice
Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands.
Sublime rule (View on GitHub)
1name: "Impersonation: Legal firm with copyright infringement notice"
2description: "Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.previous_threads) == 0
8 and length(body.current_thread.text) < 5000
9 and 0 < length(body.links) < 10
10
11 // common strings in subject or base
12 and (
13 2 of (
14 strings.ilike(subject.base, '*Content*'),
15 strings.ilike(subject.base, '*Compliance*'),
16 strings.ilike(subject.base, '*Review*'),
17 strings.ilike(subject.base, '*Legal*'),
18 strings.ilike(subject.base, '*Formal*'),
19 strings.ilike(subject.base, '*LLP*'),
20 strings.ilike(subject.base, '*Unauthorized*'),
21 strings.ilike(subject.base, '*Trademark*'),
22 strings.ilike(subject.base, '*Law*'),
23 strings.ilike(subject.base, '*Enforcement*'),
24 strings.ilike(subject.base, '*Copyright*'),
25 strings.ilike(subject.base, '*Violat*'),
26 strings.ilike(subject.base, '*Intellectual*'),
27 strings.ilike(subject.base, '*Concerning*'),
28 strings.ilike(subject.base, '*Notice*'),
29 strings.ilike(subject.base, '*Licensing*'),
30 strings.ilike(subject.base, '*Clarification*'),
31 strings.ilike(subject.base, '*Matter*'),
32 strings.ilike(subject.base, '*Conflict*'),
33 strings.ilike(subject.base, '*Ownership*'),
34 strings.ilike(sender.display_name, '*Content*'),
35 strings.ilike(sender.display_name, '*Copyright*'),
36 strings.ilike(sender.display_name, '*Review*'),
37 strings.ilike(sender.display_name, '*Legal*'),
38 strings.ilike(sender.display_name, '*Investigation*'),
39 strings.ilike(sender.display_name, '*LLP*'),
40 strings.ilike(sender.display_name, '*Law*'),
41 strings.ilike(sender.display_name, '*Intellectual*'),
42 strings.ilike(sender.display_name, '*Notice*'),
43 strings.ilike(sender.display_name, '*Matter*'),
44 strings.ilike(sender.display_name, '*Dispute*'),
45 strings.ilike(sender.display_name, '*Resolution*'),
46 strings.ilike(sender.display_name, '*Advisory*'),
47 )
48 )
49
50 // common strings in email current thread
51 and 15 of (
52 strings.ilike(body.current_thread.text, '*copyright*'),
53 strings.ilike(body.current_thread.text, '*trademark*'),
54 strings.ilike(body.current_thread.text, '*inquiry*'),
55 strings.ilike(body.current_thread.text, '*online*'),
56 strings.ilike(body.current_thread.text, '*authorized*'),
57 strings.ilike(body.current_thread.text, '*legal*'),
58 strings.ilike(body.current_thread.text, '*represent*'),
59 strings.ilike(body.current_thread.text, '*lawful*'),
60 strings.ilike(body.current_thread.text, '*owner*'),
61 strings.ilike(body.current_thread.text, '*materials*'),
62 strings.ilike(body.current_thread.text, '*protected*'),
63 strings.ilike(body.current_thread.text, '*infring*'),
64 strings.ilike(body.current_thread.text, '*immediate*'),
65 strings.ilike(body.current_thread.text, '*cessation*'),
66 strings.ilike(body.current_thread.text, '*content*'),
67 strings.ilike(body.current_thread.text, '*referenced*'),
68 strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
69 strings.ilike(body.current_thread.text, '*constitutes*'),
70 strings.ilike(body.current_thread.text, '*authorization*'),
71 strings.ilike(body.current_thread.text, '*removal*'),
72 strings.ilike(body.current_thread.text, '*comply*'),
73 strings.ilike(body.current_thread.text, '*failure*'),
74 strings.ilike(body.current_thread.text, '*law firm*'),
75 strings.ilike(body.current_thread.text, '*LLP*'),
76 strings.ilike(body.current_thread.text, '*compliance*'),
77 strings.ilike(body.current_thread.text, '*cease*'),
78 strings.ilike(body.current_thread.text, '*protect*'),
79 strings.ilike(body.current_thread.text, '*rights*'),
80 strings.ilike(body.current_thread.text, '*penalty*'),
81 strings.ilike(body.current_thread.text, '*perjury*'),
82 strings.ilike(body.current_thread.text, '*holder*'),
83 strings.ilike(body.current_thread.text, '*declare*'),
84 strings.ilike(body.current_thread.text, '*sworn*'),
85 strings.ilike(body.current_thread.text, '*affidavit*'),
86 strings.ilike(body.current_thread.text, '*investigation*'),
87 strings.ilike(body.current_thread.text, '*identified*'),
88 strings.ilike(body.current_thread.text, '*reproduction*'),
89 strings.ilike(body.current_thread.text, '*license*'),
90 strings.ilike(body.current_thread.text, '*granted*'),
91 strings.ilike(body.current_thread.text, '*permitting*'),
92 strings.ilike(body.current_thread.text, '*evidence*'),
93 strings.ilike(body.current_thread.text, '*proceedings*'),
94 strings.ilike(body.current_thread.text, '*evidentiary*'),
95 strings.ilike(body.current_thread.text, '*remove*'),
96 strings.ilike(body.current_thread.text, '*suspend*'),
97 strings.ilike(body.current_thread.text, '*discontinue*'),
98 strings.ilike(body.current_thread.text, '*72 hours*'),
99 strings.ilike(body.current_thread.text, '*48 hours*'),
100 strings.ilike(body.current_thread.text, '*24 hours*'),
101 strings.ilike(body.current_thread.text, '*proof*'),
102 strings.ilike(body.current_thread.text, '*unresolved*'),
103 strings.ilike(body.current_thread.text, '*accordance*'),
104 strings.ilike(body.current_thread.text, '*procedures*'),
105 strings.ilike(body.current_thread.text, '*interests*'),
106 strings.ilike(body.current_thread.text, '*appeal*'),
107 strings.ilike(body.current_thread.text, '*clarification*'),
108 strings.ilike(body.current_thread.text, '*notice*'),
109 strings.ilike(body.current_thread.text, '*dissemination*'),
110 strings.ilike(body.current_thread.text, '*counter-notice*'),
111 strings.ilike(body.current_thread.text, '*exploitation*'),
112 strings.ilike(body.current_thread.text, '*remedial*'),
113 strings.ilike(body.current_thread.text, '*particulars*'),
114 strings.ilike(body.current_thread.text, '*fingerprint*'),
115 strings.ilike(body.current_thread.text, '*confidentiality*'),
116 strings.ilike(body.current_thread.text, '*assertion*'),
117 strings.ilike(body.current_thread.text, '*counsel*'),
118 strings.ilike(body.current_thread.text, '*privileged*'),
119 strings.ilike(body.current_thread.text, '*directive*'),
120 )
121
122 // remove phrase from legitimate complaint
123 and not regex.icontains(body.current_thread.text,
124 '(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
125 )
126
127 // not copyright reports
128 and not regex.icontains(body.current_thread.text,
129 '(?:confirmation|received).{0,100}copyright report'
130 )
131
132 // verified dmca receiving/sending address
133 and not any([recipients.cc, recipients.to, recipients.bcc],
134 any(.,
135 .email.email in (
136 'dmca@vimeo.com',
137 'dmca@support.epicgames.com',
138 'takedowns@doppel.com',
139 'ipenforcement@epicgames.com'
140 )
141 )
142 )
143 and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')
144attack_types:
145 - "BEC/Fraud"
146 - "Extortion"
147tactics_and_techniques:
148 - "Impersonation: Brand"
149 - "Social engineering"
150detection_methods:
151 - "Content analysis"
152 - "Header analysis"
153 - "Sender analysis"
154id: "85bf58f6-3891-56ea-ae0a-d88073ade20f"