Brand impersonation: Netflix

Impersonation of Netflix.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Netflix"
 2description: |
 3    Impersonation of Netflix.
 4references:
 5  - "https://news.trendmicro.com/2023/01/18/netflix-scams-2023-job-text-email/"
 6type: "rule"
 7severity: "low"
 8authors:
 9  - name: "min0k"
10source: |
11  type.inbound
12  and (
13    strings.ilike(sender.display_name, '*netflix*')
14    or strings.ilevenshtein(sender.display_name, 'netflix') <= 1
15    or strings.ilike(sender.email.domain.domain, '*netflix*')
16    or regex.icontains(sender.display_name, 'n.{0,3}e.{0,3}t.{0,3}l.{0,3}i.{0,3}x.{0,3}')
17    or (
18      (
19        length(recipients.to) == 0
20        or (
21          all(recipients.to, .email.domain.valid == false)
22          and all(recipients.cc, .email.domain.valid == false)
23        )
24      )
25      and any(ml.logo_detect(beta.message_screenshot()).brands,
26              .name == "Netflix"
27              and .confidence in ("medium", "high")
28              and (
29                any(body.links,
30                    ml.link_analysis(.).credphish.disposition == "phishing"
31                    and ml.link_analysis(.).credphish.confidence in (
32                      "medium",
33                      "high"
34                    )
35                )
36              )
37      )
38    )
39  )
40  and sender.email.domain.root_domain not in (
41    'netflix.com',
42    'dvd.com',
43    'netflixfamily.com',
44    'netflixpreviewclub.com',
45    'netflixanimation.com',
46    'envoy.com',
47    'lexisnexis.com',
48    'netflix.shop',
49    'netflixcontractors.com' // owned by netflix
50  )
51  and sender.email.email not in $recipient_emails  
52
53attack_types:
54  - "Credential Phishing"
55tactics_and_techniques:
56  - "Impersonation: Brand"
57  - "Lookalike domain"
58  - "Social engineering"
59detection_methods:
60  - "Header analysis"
61  - "Sender analysis"
62id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"
to-top