Brand impersonation: Ledger
Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Ledger"
2description: |
3 Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
4references:
5 - "https://ledger.com"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 // Fortune has a newsletter called "The Ledger"
11 and sender.email.domain.root_domain not in (
12 'fortune.com',
13 'velocityledger.com',
14 'lever.co',
15 'queensledger.com',
16 'libertyledger.com',
17 'uledger.io'
18 )
19 and (
20 (
21 sender.email.domain.root_domain == 'ledger.com'
22 and headers.return_path.domain.root_domain not in (
23 'ledger.com',
24 'amazonses.com',
25 'ledger.fr',
26 'hubspotemail.net'
27 )
28 )
29 or (
30 sender.email.domain.root_domain != 'ledger.com'
31 and (
32 strings.ilike(sender.email.email, '*-ledger.com*')
33 or sender.display_name =~ "ledger"
34 or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
35 )
36 and (
37 // if this comes from a free email provider,
38 // flag if org has never sent an email to sender's email before
39 (
40 sender.email.domain.root_domain in $free_email_providers
41 and sender.email.email not in $recipient_emails
42 )
43 // if this comes from a custom domain,
44 // flag if org has never sent an email to sender's domain before
45 or (
46 sender.email.domain.root_domain not in $free_email_providers
47 and sender.email.domain.domain not in $recipient_domains
48 )
49 )
50 )
51 )
52tags:
53 - "Cryptocurrency"
54attack_types:
55 - "Credential Phishing"
56tactics_and_techniques:
57 - "Impersonation: Brand"
58 - "Lookalike domain"
59 - "Social engineering"
60detection_methods:
61 - "Header analysis"
62 - "Sender analysis"
63id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"