Brand impersonation: PNC

 1name: "Brand impersonation: PNC"
 2description: "Impersonation of PNC Financial Services"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\PNC\b')
 9    or strings.ilike(sender.email.domain.domain, '*PNC*')
10    or strings.ilike(subject.subject, '*PNC*')
11  )
12  and sender.email.domain.root_domain not in~ ('pnc.com', 'pncbank.com')
13  and sender.email.domain.tld != "pnc"
14  
15   and any(ml.logo_detect(beta.message_screenshot()).brands,
16            .name == "PNC" and .confidence in ("medium", "high")
17    )
18  and (
19    profile.by_sender().prevalence in ("new", "outlier")
20    or (
21      profile.by_sender().any_messages_malicious_or_spam
22      and not profile.by_sender().any_false_positives
23    )
24  )
25  
26  // negate highly trusted sender domains unless they fail DMARC authentication
27  and (
28    (
29      sender.email.domain.root_domain in $high_trust_sender_root_domains
30      and not headers.auth_summary.dmarc.pass
31    )
32    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33  )
34    
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Impersonation: Brand"
39  - "Lookalike domain"
40  - "Social engineering"
41detection_methods:
42  - "Computer Vision"
43  - "Content analysis"
44  - "Header analysis"
45  - "Sender analysis"
46id: "1b5ae4fb-da62-5e6b-a831-d727ce038cde"