Brand impersonation: PNC

 1name: "Brand impersonation: PNC"
 2description: "Impersonation of PNC Financial Services"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\PNC\b')
 9    or strings.ilike(sender.email.domain.domain, '*PNC*')
10    or strings.ilike(subject.subject, '*PNC*')
11  )
12  and sender.email.domain.root_domain not in~ ('pnc.com', 'pncbank.com')
13  and sender.email.domain.tld != "pnc"
14  and any(ml.logo_detect(file.message_screenshot()).brands,
15          .name == "PNC" and .confidence in ("medium", "high")
16  )
17  and (
18    profile.by_sender().prevalence in ("new", "outlier")
19    or (
20      profile.by_sender().any_messages_malicious_or_spam
21      and not profile.by_sender().any_messages_benign
22    )
23  )
24  // not forwards/replies
25  and not (
26    (length(headers.references) > 0 or headers.in_reply_to is not null)
27    and (subject.is_forward or subject.is_reply)
28    and length(body.previous_threads) >= 1
29  )
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and not headers.auth_summary.dmarc.pass
35    )
36    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
37  )
38    
39attack_types:
40  - "Credential Phishing"
41tactics_and_techniques:
42  - "Impersonation: Brand"
43  - "Lookalike domain"
44  - "Social engineering"
45detection_methods:
46  - "Computer Vision"
47  - "Content analysis"
48  - "Header analysis"
49  - "Sender analysis"
50id: "1b5ae4fb-da62-5e6b-a831-d727ce038cde"