Brand impersonation: Norton

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Scans files to detect Norton (Lifelock|360|Security) impersonation.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Norton"
 2description: |
 3    Scans files to detect Norton (Lifelock|360|Security) impersonation.
 4references:
 5  - "https://techaeris.com/2021/10/23/psa-watch-out-for-norton-lifelock-phishing-emails/"
 6  - "https://playground.sublimesecurity.com?id=31310ef5-8725-49b8-9c33-6b18ecdb5ba0"
 7  - "https://playground.sublimesecurity.com?id=a67bc61c-28f0-4904-a046-4584e706697d"
 8  - "https://playground.sublimesecurity.com?id=3f5809c9-43cf-4f0c-a709-6f9e3912dbb4"
 9type: "rule"
10severity: "low"
11source: |
12  type.inbound
13  and sender.email.domain.domain != "norton.com"
14  and any(attachments,
15          (.file_type in $file_types_images or .file_type == "pdf")
16          and (
17            (
18              strings.ilike(.file_name, "*norton*")
19              and not (
20                any(recipients.to, strings.iends_with(.display_name, "Norton"))
21              )
22            )
23            or any(file.explode(.),
24                   regex.icontains(.scan.ocr.raw,
25                                   ".*norton.?60.*",
26                                   ".*lifelock.*",
27                                   ".*norton.?security.*",
28                                   ".*norton.?anti.?virus.*",
29                                   ".*Norton.{2,3}subscription.*"
30                   )
31            )
32          )
33  )
34  and (
35    (
36      // if freemail, flag if it's a first-time sender
37      sender.email.domain.root_domain in $free_email_providers
38      and sender.email.email not in $sender_emails
39    )
40    or (
41      // if custom domain, we want to avoid flagging
42      // on the real Norton invoices
43      // so we flag if it's not a first-time sender
44      // and if it's not in the tranco 1M w/ a reply-to mismatch
45      // for example we've observed:
46      // Sender: Norton <quickbooks@notification.intuit.com>
47      // Reply-to: foo@outlook.com
48      sender.email.domain.root_domain not in $free_email_providers
49      and sender.email.domain.domain not in $sender_domains
50      and (
51        sender.email.domain.root_domain not in $tranco_1m
52        or any(headers.reply_to,
53               .email.domain.domain != sender.email.domain.domain
54        )
55      )
56    )
57    or (
58      (
59        length(recipients.to) == 0
60        or all(recipients.to, .display_name == "Undisclosed recipients")
61      )
62      and length(recipients.cc) == 0
63      and length(recipients.bcc) == 0
64    )
65  )  
66attack_types:
67  - "Credential Phishing"
68tactics_and_techniques:
69  - "Free email provider"
70  - "Impersonation: Brand"
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "File analysis"
75  - "Header analysis"
76  - "Sender analysis"
77id: "32bd9efd-67ba-54e2-81d0-89cf16e85a70"
to-top