Brand impersonation: Charles Schwab
Impersonation of Charles Schwab & Co
Sublime rule (View on GitHub)
1name: "Brand impersonation: Charles Schwab"
2description: "Impersonation of Charles Schwab & Co"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains charles schwab
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*charles schwab*'
12 )
13 // no spaces
14 or strings.ilike(strings.replace_confusables(sender.display_name),
15 '*charlesschwab*'
16 )
17 // levenshtein distince similar to schwab
18 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19 'charles schwab'
20 ) <= 1
21 // sender domain contains schwab
22 or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23 '*schwab*'
24 )
25 )
26 )
27
28 // and the sender is not in org_domains or from charles shwab domains and passes auth
29 and not (
30 sender.email.domain.root_domain in $org_domains
31 or (
32 (
33 sender.email.domain.root_domain in (
34 "schwab.com",
35 "aboutschwab.com.",
36 "schwabmoneywise.com",
37 "schwabe.com", // law firm with name
38 "proxyvote.com", // sends shareholder voting information with subject of company name
39 "boheme-schwabing.de", // steakhouse
40 "lesschwab.com", // tire sales
41 "schwab-marketing.com" // German Marketing Agency
42 )
43 or sender.email.domain.domain in ("schwabebooks.ccsend.com")
44 )
45 and headers.auth_summary.dmarc.pass
46 )
47 )
48 // and the sender is not from high trust sender root domains
49 and (
50 (
51 sender.email.domain.root_domain in $high_trust_sender_root_domains
52 and not headers.auth_summary.dmarc.pass
53 )
54 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
55 )
56 and not profile.by_sender().solicited
57
58attack_types:
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Impersonation: Brand"
62 - "Lookalike domain"
63 - "Social engineering"
64detection_methods:
65 - "Header analysis"
66 - "Sender analysis"
67id: "7abde595-bd69-5b79-8031-2c5a12b1767e"