Brand impersonation: FINRA

 1name: "Brand impersonation: FINRA"
 2description: |
 3    Impersonation of the Financial Industry Regulatory Authority (FINRA)
 4references:
 5  - "https://www.thinkadvisor.com/2020/05/04/finra-warns-of-email-phishing-scam/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    strings.ilevenshtein(sender.display_name, 'finra') <= 1
12    or strings.ilevenshtein(sender.email.domain.sld, 'finra') <= 1
13  )
14  and any(ml.nlu_classifier(body.current_thread.text).entities,
15          .name == "financial"
16  )
17  and length(ml.nlu_classifier(body.current_thread.text).intents) > 0
18  and sender.email.domain.root_domain not in~ (
19    'finra.org',
20    'finrax.com',
21    'finca.wine', // a wine company
22    'finta.com' // unrelated domain caught by levenshtein 
23  )
24  and (
25    (
26      profile.by_sender().prevalence in ("new", "outlier")
27      and not profile.by_sender().solicited
28    )
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_messages_benign
32    )
33  )  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Impersonation: Brand"
38  - "Lookalike domain"
39  - "Social engineering"
40detection_methods:
41  - "Header analysis"
42  - "Sender analysis"
43id: "15c81db4-b3ba-5e9a-978c-194f77b56739"