Brand impersonation: FINRA

Aug 21, 2023 ·

Impersonation of the Financial Industry Regulatory Authority (FINRA)

Sublime rule (View on GitHub)

 1name: "Brand impersonation: FINRA"
 2description: |
 3    Impersonation of the Financial Industry Regulatory Authority (FINRA)
 4references:
 5  - "https://www.thinkadvisor.com/2020/05/04/finra-warns-of-email-phishing-scam/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    strings.ilevenshtein(sender.display_name, 'finra') <= 1
12    or strings.ilevenshtein(sender.email.domain.sld, 'finra') <= 1
13  )
14  and sender.email.domain.root_domain not in~ ('finra.org', 'finrax.com')
15
16  // unsolicited
17  and (
18    (
19      sender.email.domain.root_domain in $free_email_providers
20      and sender.email.email not in $sender_emails
21    )
22    or (
23      sender.email.domain.root_domain not in $free_email_providers
24      and sender.email.domain.domain not in $sender_domains
25    )
26  )  
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "Lookalike domain"
32  - "Social engineering"
33detection_methods:
34  - "Header analysis"
35  - "Sender analysis"
36id: "15c81db4-b3ba-5e9a-978c-194f77b56739"