Brand impersonation: Norton

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Scans files to detect Norton (Lifelock|360|Security) impersonation.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Norton"
 2description: |
 3    Scans files to detect Norton (Lifelock|360|Security) impersonation.
 4references:
 5  - "https://techaeris.com/2021/10/23/psa-watch-out-for-norton-lifelock-phishing-emails/"
 6  - "https://playground.sublimesecurity.com?id=31310ef5-8725-49b8-9c33-6b18ecdb5ba0"
 7  - "https://playground.sublimesecurity.com?id=a67bc61c-28f0-4904-a046-4584e706697d"
 8  - "https://playground.sublimesecurity.com?id=3f5809c9-43cf-4f0c-a709-6f9e3912dbb4"
 9type: "rule"
10severity: "low"
11source: |
12  type.inbound
13  and sender.email.domain.domain != "norton.com"
14  and any(attachments,
15          (.file_type in $file_types_images or .file_type == "pdf")
16          and (
17            strings.ilike(.file_name, "*norton*")
18            or any(file.explode(.),
19                   regex.icontains(.scan.ocr.raw,
20                                   ".*norton.?60.*",
21                                   ".*lifelock.*",
22                                   ".*norton.?security.*"
23                   )
24            )
25          )
26  )
27  and (
28    (
29      // if freemail, flag if it's a first-time sender
30      sender.email.domain.root_domain in $free_email_providers
31      and sender.email.email not in $sender_emails
32    )
33    or (
34      // if custom domain, we want to avoid flagging
35      // on the real Norton invoices
36      // so we flag if it's not a first-time sender
37      // and if it's not in the tranco 1M w/ a reply-to mismatch
38      // for example we've observed:
39      // Sender: Norton <quickbooks@notification.intuit.com>
40      // Reply-to: foo@outlook.com
41      sender.email.domain.root_domain not in $free_email_providers
42      and sender.email.domain.domain not in $sender_domains
43      and (
44        sender.email.domain.root_domain not in $tranco_1m
45        or any(headers.reply_to, .email.domain.domain != sender.email.domain.domain)
46      )
47    )
48  )  
49attack_types:
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "Free email provider"
53  - "Impersonation: Brand"
54  - "Social engineering"
55detection_methods:
56  - "Content analysis"
57  - "File analysis"
58  - "Header analysis"
59  - "Sender analysis"
60id: "32bd9efd-67ba-54e2-81d0-89cf16e85a70"
to-top