Brand impersonation: LinkedIn
Impersonation of LinkedIn.
Sublime rule (View on GitHub)
1name: "Brand impersonation: LinkedIn"
2description: |
3 Impersonation of LinkedIn.
4references:
5 - "https://www.arcyber.army.mil/Info/Fact-Sheets/Fact-Sheet-View-Page/Article/1972156/army-cyber-fact-sheet-linkedin-scams/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 sender.display_name =~ 'linkedin'
12 or strings.ilevenshtein(sender.display_name, 'linkedin') <= 2
13 or strings.ilevenshtein(sender.email.domain.root_domain, 'linkedin.com') <= 2
14 or strings.ilike(sender.email.domain.root_domain, "*linkedin.com")
15 or (
16 strings.ilike(sender.display_name, "*linkedin*")
17 and 1 of (
18 any(ml.nlu_classifier(body.current_thread.text).intents,
19 .name in ("cred_theft", "steal_pii") and .confidence == "high"
20 ),
21 network.whois(sender.email.domain).days_old <= 30
22 and strings.ilike(sender.email.email, "*linkedin*"),
23 (
24 length(headers.reply_to) > 0
25 and all(headers.reply_to,
26 .email.domain.root_domain != sender.email.domain.root_domain
27 )
28 and all(headers.reply_to,
29 .email.domain.root_domain != headers.return_path.domain.root_domain
30 )
31 and sender.email.domain.root_domain != headers.return_path.domain.root_domain
32 )
33 )
34 )
35 )
36 and sender.email.domain.root_domain not in (
37 'linkedin.com',
38 'smartrecruiters.com',
39 'teams-events.com',
40 'linkeen.com'
41 )
42 and sender.email.domain.domain not in (
43 'linkedin.coupahost.com'
44 )
45 and sender.email.email not in $recipient_emails
46 and not strings.iends_with(headers.message_id, "linkedin.com>")
47
48attack_types:
49 - "Credential Phishing"
50tactics_and_techniques:
51 - "Impersonation: Brand"
52 - "Lookalike domain"
53 - "Social engineering"
54detection_methods:
55 - "Header analysis"
56 - "Sender analysis"
57id: "1a0cde6d-ce91-575f-a6a4-7a88b12f2ca4"