Brand impersonation: LinkedIn

Impersonation of LinkedIn.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: LinkedIn"
 2description: |
 3    Impersonation of LinkedIn.
 4references:
 5  - "https://www.arcyber.army.mil/Info/Fact-Sheets/Fact-Sheet-View-Page/Article/1972156/army-cyber-fact-sheet-linkedin-scams/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    sender.display_name =~ 'linkedin'
12    or strings.ilevenshtein(sender.display_name, 'linkedin') <= 2
13    or strings.ilevenshtein(sender.email.domain.root_domain, 'linkedin.com') <= 2
14    or strings.ilike(sender.email.domain.root_domain, "*linkedin.com")
15    or (
16      strings.ilike(sender.display_name, "*linkedin*")
17      and 1 of (
18        any(ml.nlu_classifier(body.current_thread.text).intents,
19            .name in ("cred_theft", "steal_pii") and .confidence == "high"
20        ),
21        network.whois(sender.email.domain).days_old <= 30
22        and strings.ilike(sender.email.email, "*linkedin*"),
23        (
24          length(headers.reply_to) > 0
25          and all(headers.reply_to,
26                  .email.domain.root_domain != sender.email.domain.root_domain
27          )
28          and all(headers.reply_to,
29                  .email.domain.root_domain != headers.return_path.domain.root_domain
30          )
31          and sender.email.domain.root_domain != headers.return_path.domain.root_domain
32        )
33      )
34    )
35  )
36  and sender.email.domain.root_domain not in (
37    'linkedin.com',
38    'smartrecruiters.com',
39    'teams-events.com'
40  )
41  and sender.email.domain.domain not in (
42    'linkedin.coupahost.com'
43  )
44  and sender.email.email not in $recipient_emails
45  and not strings.iends_with(headers.message_id, "linkedin.com>")  
46
47attack_types:
48  - "Credential Phishing"
49tactics_and_techniques:
50  - "Impersonation: Brand"
51  - "Lookalike domain"
52  - "Social engineering"
53detection_methods:
54  - "Header analysis"
55  - "Sender analysis"
56id: "1a0cde6d-ce91-575f-a6a4-7a88b12f2ca4"
to-top