Brand impersonation: Netflix
Impersonation of Netflix.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Netflix"
2description: |
3 Impersonation of Netflix.
4references:
5 - "https://news.trendmicro.com/2023/01/18/netflix-scams-2023-job-text-email/"
6type: "rule"
7severity: "low"
8authors:
9 - name: "min0k"
10source: |
11 type.inbound
12 and (
13 strings.ilike(sender.display_name, '*netflix*')
14 or strings.ilevenshtein(sender.display_name, 'netflix') <= 1
15 or strings.ilike(sender.email.domain.domain, '*netflix*')
16 or regex.icontains(sender.display_name, 'n.{0,3}e.{0,3}t.{0,3}l.{0,3}i.{0,3}x.{0,3}')
17 or (
18 (
19 length(recipients.to) == 0
20 or (
21 all(recipients.to, .email.domain.valid == false)
22 and all(recipients.cc, .email.domain.valid == false)
23 )
24 )
25 and any(ml.logo_detect(beta.message_screenshot()).brands,
26 .name == "Netflix"
27 and .confidence in ("medium", "high")
28 and (
29 any(body.links,
30 ml.link_analysis(.).credphish.disposition == "phishing"
31 and ml.link_analysis(.).credphish.confidence in (
32 "medium",
33 "high"
34 )
35 )
36 )
37 )
38 )
39 )
40 and sender.email.domain.root_domain not in (
41 'netflix.com',
42 'dvd.com',
43 'netflixfamily.com',
44 'netflixpreviewclub.com',
45 'netflixanimation.com',
46 'envoy.com',
47 'lexisnexis.com',
48 'netflix.shop',
49 'netflixcontractors.com' // owned by netflix
50 )
51 and sender.email.email not in $recipient_emails
52
53attack_types:
54 - "Credential Phishing"
55tactics_and_techniques:
56 - "Impersonation: Brand"
57 - "Lookalike domain"
58 - "Social engineering"
59detection_methods:
60 - "Header analysis"
61 - "Sender analysis"
62id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"