Brand impersonation: Ledger

 1name: "Brand impersonation: Ledger"
 2description: |
 3    Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
 4references:
 5  - "https://ledger.com"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  // Fortune has a newsletter called "The Ledger"
11  and sender.email.domain.root_domain not in (
12    'fortune.com',
13    'velocityledger.com',
14    'lever.co',
15    'queensledger.com',
16    'libertyledger.com',
17    'uledger.io'
18  )
19  and (
20    (
21      sender.email.domain.root_domain == 'ledger.com'
22      and headers.return_path.domain.root_domain not in (
23        'ledger.com',
24        'amazonses.com',
25        'ledger.fr',
26        'hubspotemail.net'
27      )
28    )
29    or (
30      sender.email.domain.root_domain != 'ledger.com'
31      and (
32        strings.ilike(sender.email.email, '*-ledger.com*')
33        or sender.display_name =~ "ledger"
34        or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
35      )
36      and (
37        // if this comes from a free email provider,
38        // flag if org has never sent an email to sender's email before
39        (
40          sender.email.domain.root_domain in $free_email_providers
41          and sender.email.email not in $recipient_emails
42        )
43        // if this comes from a custom domain,
44        // flag if org has never sent an email to sender's domain before
45        or (
46          sender.email.domain.root_domain not in $free_email_providers
47          and sender.email.domain.domain not in $recipient_domains
48        )
49      )
50    )
51  )  
52tags:
53  - "Cryptocurrency"
54attack_types:
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Impersonation: Brand"
58  - "Lookalike domain"
59  - "Social engineering"
60detection_methods:
61  - "Header analysis"
62  - "Sender analysis"
63id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"