Brand impersonation: Ledger

 1name: "Brand impersonation: Ledger"
 2description: |
 3    Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
 4references:
 5  - "https://ledger.com"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      sender.email.domain.root_domain == 'ledger.com'
13      and headers.return_path.domain.root_domain not in (
14        'ledger.com',
15        'amazonses.com',
16        'ledger.fr',
17        'hubspotemail.net'
18      )
19    )
20    or (
21      sender.email.domain.root_domain != 'ledger.com'
22      and (
23        strings.ilike(sender.email.email, '*-ledger.com*')
24        or sender.display_name =~ "ledger"
25        or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
26      )
27      and (
28        // if this comes from a free email provider,
29        // flag if org has never sent an email to sender's email before
30        (
31          sender.email.domain.root_domain in $free_email_providers
32          and sender.email.email not in $recipient_emails
33        )
34        // if this comes from a custom domain,
35        // flag if org has never sent an email to sender's domain before
36        or (
37          sender.email.domain.root_domain not in $free_email_providers
38          and sender.email.domain.domain not in $recipient_domains
39        )
40      )
41    )
42  )
43  and sender.email.domain.root_domain not in (
44    // Fortune has a newsletter called "The Ledger"
45    'fortune.com', 
46    'velocityledger.com',
47    'lever.co',
48    'queensledger.com',
49    'libertyledger.com',
50    'uledger.io',
51    'ledgers.org.uk',
52    'leger.co.uk',
53    'xledger.net'
54  )  
55tags:
56  - "Cryptocurrency"
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Impersonation: Brand"
61  - "Lookalike domain"
62  - "Social engineering"
63detection_methods:
64  - "Header analysis"
65  - "Sender analysis"
66id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"