Brand impersonation: FINRA

Impersonation of the Financial Industry Regulatory Authority (FINRA)

Sublime rule (View on GitHub)

 1name: "Brand impersonation: FINRA"
 2description: |
 3    Impersonation of the Financial Industry Regulatory Authority (FINRA)
 4references:
 5  - "https://www.thinkadvisor.com/2020/05/04/finra-warns-of-email-phishing-scam/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    strings.ilevenshtein(sender.display_name, 'finra') <= 1
12    or strings.ilevenshtein(sender.email.domain.sld, 'finra') <= 1
13  )
14  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
15  and length(ml.nlu_classifier(body.current_thread.text).intents) > 0
16  and sender.email.domain.root_domain not in~ ('finra.org', 'finrax.com')
17  and (
18    (
19      profile.by_sender().prevalence in ("new", "outlier")
20      and not profile.by_sender().solicited
21    )
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_false_positives
25    )
26  )  
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "Lookalike domain"
32  - "Social engineering"
33detection_methods:
34  - "Header analysis"
35  - "Sender analysis"
36id: "15c81db4-b3ba-5e9a-978c-194f77b56739"
to-top