Brand impersonation: Charles Schwab
Impersonation of Charles Schwab & Co
Sublime rule (View on GitHub)
1name: "Brand impersonation: Charles Schwab"
2description: "Impersonation of Charles Schwab & Co"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains charles schwab
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*charles schwab*'
12 )
13 // no spaces
14 or strings.ilike(strings.replace_confusables(sender.display_name),
15 '*charlesschwab*'
16 )
17 // levenshtein distince similar to schwab
18 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19 'charles schwab'
20 ) <= 1
21 // sender domain contains schwab
22 or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23 '*schwab*'
24 )
25 )
26 )
27
28 // and the sender is not in org_domains or from charles shwab domains and passes auth
29 and not (
30 sender.email.domain.root_domain in $org_domains
31 or (
32 (
33 sender.email.domain.root_domain in (
34 "schwab.com",
35 "aboutschwab.com.",
36 "schwabcorrentesettlement.com", // Schawb v. Corrente, et al. Settlement domain
37 "schwabmoneywise.com",
38 "schwabe.com", // law firm with name
39 "proxyvote.com", // sends shareholder voting information with subject of company name
40 "boheme-schwabing.de", // steakhouse
41 "lesschwab.com", // tire sales
42 "schwab-marketing.com" // German Marketing Agency
43 )
44 or sender.email.domain.domain in ("schwabebooks.ccsend.com")
45 )
46 and headers.auth_summary.dmarc.pass
47 )
48 )
49 // and the sender is not from high trust sender root domains
50 and (
51 (
52 sender.email.domain.root_domain in $high_trust_sender_root_domains
53 and not headers.auth_summary.dmarc.pass
54 )
55 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56 )
57 and not profile.by_sender().solicited
58
59attack_types:
60 - "Credential Phishing"
61tactics_and_techniques:
62 - "Impersonation: Brand"
63 - "Lookalike domain"
64 - "Social engineering"
65detection_methods:
66 - "Header analysis"
67 - "Sender analysis"
68id: "7abde595-bd69-5b79-8031-2c5a12b1767e"