Brand impersonation: Charles Schwab
Impersonation of Charles Schwab & Co
Sublime rule (View on GitHub)
1name: "Brand impersonation: Charles Schwab"
2description: "Impersonation of Charles Schwab & Co"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains charles schwab
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*charles schwab*'
12 )
13 // no spaces
14 or strings.ilike(strings.replace_confusables(sender.display_name),
15 '*charlesschwab*'
16 )
17 // levenshtein distince similar to schwab
18 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19 'charles schwab'
20 ) <= 1
21 // sender domain contains schwab
22 or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23 '*schwab*'
24 )
25 )
26 )
27
28 // and the sender is not in org_domains or from charles shwab domains and passes auth
29 and not (
30 sender.email.domain.root_domain in $org_domains
31 or (
32 (
33 sender.email.domain.root_domain in (
34 "schwab.com",
35 "aboutschwab.com.",
36 "schwabcorrentesettlement.com", // Schawb v. Corrente, et al. Settlement domain
37 "schwabmoneywise.com",
38 "schwabe.com", // law firm with name
39 "proxyvote.com", // sends shareholder voting information with subject of company name
40 "boheme-schwabing.de", // steakhouse
41 "lesschwab.com", // tire sales
42 "schwab-marketing.com", // German Marketing Agency
43 "schwaben.ca" // unrelated but similar domain
44 )
45 or sender.email.domain.domain in ("schwabebooks.ccsend.com")
46 )
47 and headers.auth_summary.dmarc.pass
48 )
49 )
50 // and the sender is not from high trust sender root domains
51 and (
52 (
53 sender.email.domain.root_domain in $high_trust_sender_root_domains
54 and not headers.auth_summary.dmarc.pass
55 )
56 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57 )
58 and not profile.by_sender().solicited
59
60attack_types:
61 - "Credential Phishing"
62tactics_and_techniques:
63 - "Impersonation: Brand"
64 - "Lookalike domain"
65 - "Social engineering"
66detection_methods:
67 - "Header analysis"
68 - "Sender analysis"
69id: "7abde595-bd69-5b79-8031-2c5a12b1767e"