Impersonation: Legal firm with copyright infringement notice
Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands.
Sublime rule (View on GitHub)
1name: "Impersonation: Legal firm with copyright infringement notice"
2description: "Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.previous_threads) == 0
8 and length(body.current_thread.text) < 5000
9 and 0 < length(body.links) < 10
10
11 // common strings in subject or base
12 and (
13 2 of (
14 strings.ilike(subject.base, '*Content*'),
15 strings.ilike(subject.base, '*Compliance*'),
16 strings.ilike(subject.base, '*Review*'),
17 strings.ilike(subject.base, '*Legal*'),
18 strings.ilike(subject.base, '*Formal*'),
19 strings.ilike(subject.base, '*LLP*'),
20 strings.ilike(subject.base, '*Unauthorized*'),
21 strings.ilike(subject.base, '*Trademark*'),
22 strings.ilike(subject.base, '*Law*'),
23 strings.ilike(subject.base, '*Enforcement*'),
24 strings.ilike(subject.base, '*Copyright*'),
25 strings.ilike(subject.base, '*Violat*'),
26 strings.ilike(subject.base, '*Intellectual*'),
27 strings.ilike(subject.base, '*Concerning*'),
28 strings.ilike(subject.base, '*Notice*'),
29 strings.ilike(subject.base, '*Clarification*'),
30 strings.ilike(subject.base, '*Matter*'),
31 strings.ilike(subject.base, '*Conflict*'),
32 strings.ilike(subject.base, '*Ownership*'),
33 strings.ilike(sender.display_name, '*Content*'),
34 strings.ilike(sender.display_name, '*Copyright*'),
35 strings.ilike(sender.display_name, '*Review*'),
36 strings.ilike(sender.display_name, '*Legal*'),
37 strings.ilike(sender.display_name, '*Investigation*'),
38 strings.ilike(sender.display_name, '*LLP*'),
39 strings.ilike(sender.display_name, '*Law*'),
40 strings.ilike(sender.display_name, '*Intellectual*'),
41 strings.ilike(sender.display_name, '*Notice*'),
42 strings.ilike(sender.display_name, '*Matter*'),
43 strings.ilike(sender.display_name, '*Advisory*')
44 )
45 )
46
47 // common strings in email current thread
48 and 15 of (
49 strings.ilike(body.current_thread.text, '*copyright*'),
50 strings.ilike(body.current_thread.text, '*trademark*'),
51 strings.ilike(body.current_thread.text, '*inquiry*'),
52 strings.ilike(body.current_thread.text, '*online*'),
53 strings.ilike(body.current_thread.text, '*authorized*'),
54 strings.ilike(body.current_thread.text, '*legal*'),
55 strings.ilike(body.current_thread.text, '*represent*'),
56 strings.ilike(body.current_thread.text, '*lawful*'),
57 strings.ilike(body.current_thread.text, '*owner*'),
58 strings.ilike(body.current_thread.text, '*materials*'),
59 strings.ilike(body.current_thread.text, '*protected*'),
60 strings.ilike(body.current_thread.text, '*infring*'),
61 strings.ilike(body.current_thread.text, '*immediate*'),
62 strings.ilike(body.current_thread.text, '*cessation*'),
63 strings.ilike(body.current_thread.text, '*content*'),
64 strings.ilike(body.current_thread.text, '*referenced*'),
65 strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
66 strings.ilike(body.current_thread.text, '*constitutes*'),
67 strings.ilike(body.current_thread.text, '*authorization*'),
68 strings.ilike(body.current_thread.text, '*removal*'),
69 strings.ilike(body.current_thread.text, '*comply*'),
70 strings.ilike(body.current_thread.text, '*failure*'),
71 strings.ilike(body.current_thread.text, '*law firm*'),
72 strings.ilike(body.current_thread.text, '*LLP*'),
73 strings.ilike(body.current_thread.text, '*compliance*'),
74 strings.ilike(body.current_thread.text, '*cease*'),
75 strings.ilike(body.current_thread.text, '*protect*'),
76 strings.ilike(body.current_thread.text, '*rights*'),
77 strings.ilike(body.current_thread.text, '*penalty*'),
78 strings.ilike(body.current_thread.text, '*perjury*'),
79 strings.ilike(body.current_thread.text, '*holder*'),
80 strings.ilike(body.current_thread.text, '*declare*'),
81 strings.ilike(body.current_thread.text, '*sworn*'),
82 strings.ilike(body.current_thread.text, '*affidavit*'),
83 strings.ilike(body.current_thread.text, '*investigation*'),
84 strings.ilike(body.current_thread.text, '*identified*'),
85 strings.ilike(body.current_thread.text, '*reproduction*'),
86 strings.ilike(body.current_thread.text, '*license*'),
87 strings.ilike(body.current_thread.text, '*granted*'),
88 strings.ilike(body.current_thread.text, '*permitting*'),
89 strings.ilike(body.current_thread.text, '*evidence*'),
90 strings.ilike(body.current_thread.text, '*proceedings*'),
91 strings.ilike(body.current_thread.text, '*evidentiary*'),
92 strings.ilike(body.current_thread.text, '*remove*'),
93 strings.ilike(body.current_thread.text, '*suspend*'),
94 strings.ilike(body.current_thread.text, '*discontinue*'),
95 strings.ilike(body.current_thread.text, '*72 hours*'),
96 strings.ilike(body.current_thread.text, '*48 hours*'),
97 strings.ilike(body.current_thread.text, '*24 hours*'),
98 strings.ilike(body.current_thread.text, '*proof*'),
99 strings.ilike(body.current_thread.text, '*unresolved*'),
100 strings.ilike(body.current_thread.text, '*accordance*'),
101 strings.ilike(body.current_thread.text, '*procedures*'),
102 strings.ilike(body.current_thread.text, '*interests*'),
103 strings.ilike(body.current_thread.text, '*appeal*'),
104 strings.ilike(body.current_thread.text, '*clarification*'),
105 strings.ilike(body.current_thread.text, '*notice*'),
106 strings.ilike(body.current_thread.text, '*dissemination*'),
107 strings.ilike(body.current_thread.text, '*counter-notice*'),
108 strings.ilike(body.current_thread.text, '*exploitation*')
109 )
110
111 // remove phrase from legitimate complaint
112 and not regex.icontains(body.current_thread.text,
113 '(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
114 )
115
116 // not copyright reports
117 and not regex.icontains(body.current_thread.text,
118 '(?:confirmation|received).{0,100}copyright report'
119 )
120
121 // verified dmca receiving/sending address
122 and not any([recipients.cc, recipients.to, recipients.bcc],
123 any(.,
124 .email.email in (
125 'dmca@vimeo.com',
126 'dmca@support.epicgames.com',
127 'takedowns@doppel.com',
128 'ipenforcement@epicgames.com'
129 )
130 )
131 )
132 and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')
133attack_types:
134 - "BEC/Fraud"
135 - "Extortion"
136tactics_and_techniques:
137 - "Impersonation: Brand"
138 - "Social engineering"
139detection_methods:
140 - "Content analysis"
141 - "Header analysis"
142 - "Sender analysis"
143id: "85bf58f6-3891-56ea-ae0a-d88073ade20f"