Brand impersonation: Netflix

calendar Oct 1, 2025  ยท
Share on: linkedin copy

Impersonation of Netflix.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Netflix"
 2description: |
 3    Impersonation of Netflix.
 4references:
 5  - "https://news.trendmicro.com/2023/01/18/netflix-scams-2023-job-text-email/"
 6type: "rule"
 7severity: "low"
 8authors:
 9  - name: "min0k"
10source: |
11  type.inbound
12  and (
13    regex.icontains(strings.replace_confusables(sender.display_name), '[nm]etf[li][il]x')
14    or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'netflix') <= 1
15    or regex.icontains(strings.replace_confusables(sender.email.domain.domain), '[nm]etf[li][il]x')
16    or regex.icontains(strings.replace_confusables(sender.display_name), 'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}')
17    or (
18      (
19        length(recipients.to) == 0
20        or (
21          all(recipients.to, .email.domain.valid == false)
22          and all(recipients.cc, .email.domain.valid == false)
23        )
24      )
25      and any(ml.logo_detect(file.message_screenshot()).brands,
26              .name == "Netflix"
27              and .confidence in ("medium", "high")
28              and (
29                any(body.links,
30                    ml.link_analysis(.).credphish.disposition == "phishing"
31                    and ml.link_analysis(.).credphish.confidence in (
32                      "medium",
33                      "high"
34                    )
35                )
36              )
37      )
38    )
39  )
40  and sender.email.domain.root_domain not in (
41    'netflix.com',
42    'dvd.com',
43    'netflixfamily.com',
44    'netflixpreviewclub.com',
45    'netflixanimation.com',
46    'envoy.com',
47    'lexisnexis.com',
48    'netflix.shop',
49    'netflixcontractors.com', // owned by netflix
50    'netflixevents.com', // owned by netflix
51    'netelixir.com', // unrelated marketing
52    'netflixhouse.com', // owned by netflix
53    'instagram.com',
54    'netflix.net'
55  )
56  and sender.email.domain.domain not in (
57    'netflix.zendesk.com' // netflix actual support
58  )
59  and sender.email.email not in $recipient_emails  
60
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Impersonation: Brand"
65  - "Lookalike domain"
66  - "Social engineering"
67detection_methods:
68  - "Header analysis"
69  - "Sender analysis"
70id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"
to-top