Brand impersonation: LastPass
Detects messages impersonating the password manager LastPass that contain suspicious language about maintenance, vault exports, or master passwords.
Sublime rule (View on GitHub)
1name: "Brand impersonation: LastPass"
2description: "Detects messages impersonating the password manager LastPass that contain suspicious language about maintenance, vault exports, or master passwords."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.links) > 0
8 and any([sender.display_name, sender.email.domain.domain],
9 strings.ilike(strings.replace_confusables(.), "*LastPass*", "Last?Pass")
10 )
11 and (
12 strings.ilike(body.current_thread.text,
13 "*back*up*",
14 "*maintenance*",
15 "*master*password*",
16 "*export*vault*",
17 "*support@lastpass.com*" // real LastPass support address
18 )
19 or any(body.links,
20 // links directly to a S3 bucket
21 (
22 .href_url.domain.root_domain == "amazonaws.com"
23 and strings.icontains(.href_url.domain.subdomain, "s3")
24 )
25 // recipient email as a URL param
26 or any(.href_url.query_params_decoded["email"],
27 strings.parse_email(.).email in map(recipients.to, .email.email)
28 )
29 )
30 or any(ml.nlu_classifier(body.current_thread.text).topics,
31 .name in ("Security and Authentication", "Reminders and Notifications")
32 and .confidence != "low"
33 )
34 // invalid sender address
35 or not sender.email.domain.valid
36 )
37 // negate newsletters
38 and not any(ml.nlu_classifier(body.current_thread.text).topics,
39 .name in ("Newsletters and Digests") and .confidence != "low"
40 )
41 and not (
42 sender.email.domain.root_domain in~ ("lastpass.com")
43 and headers.auth_summary.dmarc.pass
44 )
45attack_types:
46 - "Credential Phishing"
47tactics_and_techniques:
48 - "Impersonation: Brand"
49 - "Social engineering"
50detection_methods:
51 - "Content analysis"
52 - "Natural Language Understanding"
53 - "Sender analysis"
54 - "URL analysis"
55 - "Header analysis"
56id: "99831d35-1be6-547c-993e-6e6997b565bd"