Brand impersonation: Charles Schwab

Impersonation of Charles Schwab & Co

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Charles Schwab"
 2description: "Impersonation of Charles Schwab & Co"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains charles schwab
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*charles schwab*'
12      )
13      // no spaces
14      or strings.ilike(strings.replace_confusables(sender.display_name),
15                       '*charlesschwab*'
16      )
17      // levenshtein distince similar to schwab
18      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19                              'charles schwab'
20      ) <= 1
21      // sender domain contains schwab
22      or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23                       '*schwab*'
24      )
25    )
26  )
27  
28  // and the sender is not in org_domains or from charles shwab domains and passes auth
29  and not (
30    sender.email.domain.root_domain in $org_domains
31    or (
32      (
33        sender.email.domain.root_domain in (
34          "schwab.com",
35          "aboutschwab.com.",
36          "schwabmoneywise.com",
37          "schwabe.com", // law firm with name
38          "proxyvote.com", // sends shareholder voting information with subject of company name
39          "boheme-schwabing.de", // steakhouse
40          "lesschwab.com", // tire sales
41          "schwab-marketing.com" // German Marketing Agency
42       )
43        or sender.email.domain.domain in ("schwabebooks.ccsend.com")
44      )
45      and headers.auth_summary.dmarc.pass
46    )
47  )
48  // and the sender is not from high trust sender root domains
49  and (
50    (
51      sender.email.domain.root_domain in $high_trust_sender_root_domains
52      and not headers.auth_summary.dmarc.pass
53    )
54    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
55  )
56  and not profile.by_sender().solicited  
57
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Impersonation: Brand"
62  - "Lookalike domain"
63  - "Social engineering"
64detection_methods:
65  - "Header analysis"
66  - "Sender analysis"
67id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
to-top