Brand impersonation: Ledger

Attack impersonating hardware cryptocurrency wallet ledger.com's brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Ledger"
 2description: |
 3    Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
 4references:
 5  - "https://ledger.com"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  // Fortune has a newsletter called "The Ledger"
11  and sender.email.domain.root_domain not in (
12    'fortune.com',
13    'velocityledger.com',
14    'lever.co',
15    'queensledger.com',
16    'libertyledger.com',
17    'uledger.io',
18    'ledgers.org.uk'
19  )
20  and (
21    (
22      sender.email.domain.root_domain == 'ledger.com'
23      and headers.return_path.domain.root_domain not in (
24        'ledger.com',
25        'amazonses.com',
26        'ledger.fr',
27        'hubspotemail.net'
28      )
29    )
30    or (
31      sender.email.domain.root_domain != 'ledger.com'
32      and (
33        strings.ilike(sender.email.email, '*-ledger.com*')
34        or sender.display_name =~ "ledger"
35        or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
36      )
37      and (
38        // if this comes from a free email provider,
39        // flag if org has never sent an email to sender's email before
40        (
41          sender.email.domain.root_domain in $free_email_providers
42          and sender.email.email not in $recipient_emails
43        )
44        // if this comes from a custom domain,
45        // flag if org has never sent an email to sender's domain before
46        or (
47          sender.email.domain.root_domain not in $free_email_providers
48          and sender.email.domain.domain not in $recipient_domains
49        )
50      )
51    )
52  )  
53tags:
54  - "Cryptocurrency"
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Lookalike domain"
60  - "Social engineering"
61detection_methods:
62  - "Header analysis"
63  - "Sender analysis"
64id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"

Related rules

to-top