Brand impersonation: Netflix

calendar Aug 25, 2023  ยท
Share on: linkedin copy

Impersonation of Netflix.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Netflix"
 2description: |
 3    Impersonation of Netflix.
 4references:
 5  - "https://news.trendmicro.com/2023/01/18/netflix-scams-2023-job-text-email/"
 6type: "rule"
 7severity: "low"
 8authors:
 9  - name: "min0k"
10source: |
11  type.inbound
12  and (
13    strings.ilike(sender.display_name, '*netflix*')
14    or strings.ilevenshtein(sender.display_name, 'netflix') <= 1
15    or strings.ilike(sender.email.domain.domain, '*netflix*')
16  )
17  and sender.email.domain.root_domain not in ('netflix.com', 'dvd.com', 'netflixfamily.com')
18  and sender.email.email not in $recipient_emails  
19attack_types:
20  - "Credential Phishing"
21tactics_and_techniques:
22  - "Impersonation: Brand"
23  - "Lookalike domain"
24  - "Social engineering"
25detection_methods:
26  - "Header analysis"
27  - "Sender analysis"
28id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"
to-top