Brand impersonation: Netflix
Impersonation of Netflix.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Netflix"
2description: |
3 Impersonation of Netflix.
4references:
5 - "https://news.trendmicro.com/2023/01/18/netflix-scams-2023-job-text-email/"
6type: "rule"
7severity: "low"
8authors:
9 - name: "min0k"
10source: |
11 type.inbound
12 and (
13 // obfuscated sender display name
14 (
15 sender.display_name is not null
16 and (
17 regex.icontains(strings.replace_confusables(sender.display_name),
18 '[nm]etf[li][il]x'
19 )
20 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
21 'netflix'
22 ) <= 1
23 or regex.icontains(strings.replace_confusables(sender.display_name),
24 'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}'
25 )
26 )
27 )
28 // obfuscated sender email domain
29 or regex.icontains(strings.replace_confusables(sender.email.domain.domain),
30 '[nm]etf[li][il]x'
31 )
32 // logo detection on message screenshot (no link analysis)
33 or (
34 any(ml.logo_detect(file.message_screenshot()).brands,
35 .name == "Netflix" and .confidence in ("medium", "high")
36 )
37 and (
38 // non NLU based keywords on the screenshot
39 regex.icontains(beta.ocr(file.message_screenshot()).text,
40 'suspen(?:ded|sion)'
41 )
42 or
43 // combo of NLU cred_theft + financial + Customer Service and Support
44 (
45 any(ml.nlu_classifier(body.current_thread.text).intents,
46 .name == "cred_theft"
47 )
48 and any(ml.nlu_classifier(body.current_thread.text).entities,
49 .name == "financial"
50 )
51 and any(ml.nlu_classifier(body.current_thread.text).topics,
52 .name == "Customer Service and Support"
53 )
54 )
55 )
56 )
57 // Address Detection
58 or 2 of (
59 strings.icontains(body.current_thread.text, 'Netflix, Inc'),
60 strings.icontains(body.current_thread.text, '100 Winchester Circle'),
61 strings.icontains(body.current_thread.text, 'Los Gatos, CA 95032')
62 )
63 // unusual recipient pattern + logo detect + credphish dispoistion
64 or (
65 (
66 length(recipients.to) == 0
67 or (
68 all(recipients.to, .email.domain.valid == false)
69 and all(recipients.cc, .email.domain.valid == false)
70 )
71 )
72 and any(ml.logo_detect(file.message_screenshot()).brands,
73 .name == "Netflix" and .confidence in ("medium", "high")
74 )
75 and (
76 any(body.links,
77 ml.link_analysis(.).credphish.disposition == "phishing"
78 and ml.link_analysis(.).credphish.confidence in ("medium", "high")
79 )
80 )
81 )
82 )
83 // negation of legit domains
84 and not (
85 sender.email.domain.root_domain in (
86 'netflix.com',
87 'dvd.com',
88 'netflixfamily.com',
89 'netflixpreviewclub.com',
90 'netflixanimation.com',
91 'envoy.com',
92 'lexisnexis.com',
93 'netflix.shop',
94 'netflixcontractors.com', // owned by netflix
95 'netflixevents.com', // owned by netflix
96 'netelixir.com', // unrelated marketing
97 'netflixhouse.com', // owned by netflix
98 'instagram.com',
99 'netflix.net',
100 'netflixshopsupport.com', // owned by netflix
101 'netflixpartner.com', // owned by netflix
102 )
103 and coalesce(headers.auth_summary.dmarc.pass, false)
104 )
105 and not (
106 sender.email.domain.domain in (
107 'netflix.zendesk.com' // netflix actual support
108 )
109 and coalesce(headers.auth_summary.dmarc.pass, false)
110 )
111 and not profile.by_sender_email().solicited
112attack_types:
113 - "Credential Phishing"
114tactics_and_techniques:
115 - "Impersonation: Brand"
116 - "Lookalike domain"
117 - "Social engineering"
118detection_methods:
119 - "Header analysis"
120 - "Sender analysis"
121id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"