Brand impersonation: FINRA

 1name: "Brand impersonation: FINRA"
 2description: |
 3    Impersonation of the Financial Industry Regulatory Authority (FINRA)
 4references:
 5  - "https://www.thinkadvisor.com/2020/05/04/finra-warns-of-email-phishing-scam/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    strings.ilevenshtein(sender.display_name, 'finra') <= 1
12    or strings.ilevenshtein(sender.email.domain.sld, 'finra') <= 1
13  )
14  and any(ml.nlu_classifier(body.current_thread.text).entities,
15          .name == "financial"
16  )
17  and length(ml.nlu_classifier(body.current_thread.text).intents) > 0
18  and sender.email.domain.root_domain not in~ (
19    'finra.org',
20    'finrax.com',
21    'finca.wine' // a wine company
22  )
23  and (
24    (
25      profile.by_sender().prevalence in ("new", "outlier")
26      and not profile.by_sender().solicited
27    )
28    or (
29      profile.by_sender().any_messages_malicious_or_spam
30      and not profile.by_sender().any_false_positives
31    )
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Impersonation: Brand"
37  - "Lookalike domain"
38  - "Social engineering"
39detection_methods:
40  - "Header analysis"
41  - "Sender analysis"
42id: "15c81db4-b3ba-5e9a-978c-194f77b56739"