Brand impersonation: LinkedIn

Impersonation of LinkedIn.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: LinkedIn"
 2description: |
 3    Impersonation of LinkedIn.
 4references:
 5  - "https://www.arcyber.army.mil/Info/Fact-Sheets/Fact-Sheet-View-Page/Article/1972156/army-cyber-fact-sheet-linkedin-scams/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    sender.display_name =~ 'linkedin'
12    or strings.ilevenshtein(sender.display_name, 'linkedin') <= 2
13    or strings.ilevenshtein(sender.email.domain.root_domain, 'linkedin.com') <= 2
14  )
15  and sender.email.domain.root_domain not in ('linkedin.com', 'smartrecruiters.com')
16  and sender.email.email not in $recipient_emails
17  and not strings.iends_with(headers.message_id, "linkedin.com>")  
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Impersonation: Brand"
22  - "Lookalike domain"
23  - "Social engineering"
24detection_methods:
25  - "Header analysis"
26  - "Sender analysis"
27id: "1a0cde6d-ce91-575f-a6a4-7a88b12f2ca4"
to-top