Brand impersonation: Norton

calendar Oct 8, 2024  ยท
Share on: linkedin copy

Scans files to detect Norton (Lifelock|360|Security) impersonation.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Norton"
 2description: |
 3    Scans files to detect Norton (Lifelock|360|Security) impersonation.
 4references:
 5  - "https://techaeris.com/2021/10/23/psa-watch-out-for-norton-lifelock-phishing-emails/"
 6  - "https://playground.sublimesecurity.com?id=31310ef5-8725-49b8-9c33-6b18ecdb5ba0"
 7  - "https://playground.sublimesecurity.com?id=a67bc61c-28f0-4904-a046-4584e706697d"
 8  - "https://playground.sublimesecurity.com?id=3f5809c9-43cf-4f0c-a709-6f9e3912dbb4"
 9type: "rule"
10severity: "low"
11source: |
12  type.inbound
13  and sender.email.domain.domain != "norton.com"
14  and any(attachments,
15          (.file_type in $file_types_images or .file_type == "pdf")
16          and (
17            (
18              strings.ilike(.file_name, "*norton*")
19              and not (
20                any(recipients.to, strings.iends_with(.display_name, "Norton"))
21              )
22            )
23            or any(file.explode(.),
24                   regex.icontains(.scan.ocr.raw,
25                                   ".*norton.?60.*",
26                                   ".*lifelock.*",
27                                   ".*norton.?security.*",
28                                   ".*norton.?anti.?virus.*",
29                                   ".*Norton.{2,3}subscription.*"
30
31                   )
32            )
33          )
34  )
35  and (
36    (
37      // if freemail, flag if it's a first-time sender
38      sender.email.domain.root_domain in $free_email_providers
39      and sender.email.email not in $sender_emails
40    )
41    or (
42      // if custom domain, we want to avoid flagging
43      // on the real Norton invoices
44      // so we flag if it's not a first-time sender
45      // and if it's not in the tranco 1M w/ a reply-to mismatch
46      // for example we've observed:
47      // Sender: Norton <quickbooks@notification.intuit.com>
48      // Reply-to: foo@outlook.com
49      sender.email.domain.root_domain not in $free_email_providers
50      and sender.email.domain.domain not in $sender_domains
51      and (
52        sender.email.domain.root_domain not in $tranco_1m
53        or any(headers.reply_to,
54               .email.domain.domain != sender.email.domain.domain
55        )
56      )
57    )
58    or (
59      (
60        length(recipients.to) == 0
61        or all(recipients.to, .display_name == "Undisclosed recipients")
62      )
63      and length(recipients.cc) == 0
64      and length(recipients.bcc) == 0
65    )
66  )  
67attack_types:
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Free email provider"
71  - "Impersonation: Brand"
72  - "Social engineering"
73detection_methods:
74  - "Content analysis"
75  - "File analysis"
76  - "Header analysis"
77  - "Sender analysis"
78id: "32bd9efd-67ba-54e2-81d0-89cf16e85a70"
to-top