Brand impersonation: Ripple

 1name: "Brand impersonation: Ripple"
 2description: |
 3    Attack impersonating Ripple cryptocurrency, potentially in the form of a giveaway scam.
 4references:
 5  - "https://ripple.com/insights/how-to-spot-xrp-giveaway-scams/"
 6  - "https://support.gatehub.net/hc/en-us/articles/360014496899-Phishing-email-spoofs-Ripple"
 7type: "rule"
 8severity: "low"
 9source: |
10  type.inbound
11  and regex.imatch(sender.display_name, '\bripple\b')
12  and sender.email.domain.root_domain not in ("ripple.com", "ripplejobs.co.uk")
13  and (
14    (
15      sender.email.domain.root_domain in $free_email_providers
16      and sender.email.email not in $recipient_emails
17    )
18    or (
19      sender.email.domain.root_domain not in $free_email_providers
20      and sender.email.domain.domain not in $recipient_domains
21    )
22  )  
23tags:
24  - "Cryptocurrency"
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Impersonation: Brand"
29  - "Social engineering"
30detection_methods:
31  - "Sender analysis"
32id: "68b39736-70e0-5bf7-8a0a-3e2206552251"