Brand impersonation: Netflix
Impersonation of Netflix.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Netflix"
2description: |
3 Impersonation of Netflix.
4references:
5 - "https://news.trendmicro.com/2023/01/18/netflix-scams-2023-job-text-email/"
6type: "rule"
7severity: "low"
8authors:
9 - name: "min0k"
10source: |
11 type.inbound
12 and (
13 strings.ilike(strings.replace_confusables(sender.display_name), '*netflix*')
14 or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'netflix') <= 1
15 or strings.ilike(strings.replace_confusables(sender.email.domain.domain), '*netflix*')
16 or regex.icontains(strings.replace_confusables(sender.display_name), 'n.{0,3}e.{0,3}t.{0,3}l.{0,3}i.{0,3}x.{0,3}')
17 or (
18 (
19 length(recipients.to) == 0
20 or (
21 all(recipients.to, .email.domain.valid == false)
22 and all(recipients.cc, .email.domain.valid == false)
23 )
24 )
25 and any(ml.logo_detect(beta.message_screenshot()).brands,
26 .name == "Netflix"
27 and .confidence in ("medium", "high")
28 and (
29 any(body.links,
30 ml.link_analysis(.).credphish.disposition == "phishing"
31 and ml.link_analysis(.).credphish.confidence in (
32 "medium",
33 "high"
34 )
35 )
36 )
37 )
38 )
39 )
40 and sender.email.domain.root_domain not in (
41 'netflix.com',
42 'dvd.com',
43 'netflixfamily.com',
44 'netflixpreviewclub.com',
45 'netflixanimation.com',
46 'envoy.com',
47 'lexisnexis.com',
48 'netflix.shop',
49 'netflixcontractors.com', // owned by netflix
50 'netflixevents.com' // owned by netflix
51 )
52 and sender.email.domain.domain not in (
53 'netflix.zendesk.com' // netflix actual support
54 )
55 and sender.email.email not in $recipient_emails
56
57attack_types:
58 - "Credential Phishing"
59tactics_and_techniques:
60 - "Impersonation: Brand"
61 - "Lookalike domain"
62 - "Social engineering"
63detection_methods:
64 - "Header analysis"
65 - "Sender analysis"
66id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"