Brand impersonation: Charles Schwab

Impersonation of Charles Schwab & Co

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Charles Schwab"
 2description: "Impersonation of Charles Schwab & Co"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains charles schwab
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*charles schwab*'
12      )
13      // no spaces
14      or strings.ilike(strings.replace_confusables(sender.display_name),
15                       '*charlesschwab*'
16      )
17      // levenshtein distince similar to schwab
18      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19                              'charles schwab'
20      ) <= 1
21      // sender domain contains schwab
22      or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23                       '*schwab*'
24      )
25    )
26  )
27  
28  // and the sender is not in org_domains or from charles shwab domains and passes auth
29  and not (
30    sender.email.domain.root_domain in $org_domains
31    or (
32      (
33        sender.email.domain.root_domain in (
34          "schwab.com",
35          "aboutschwab.com.",
36          "schwabcorrentesettlement.com", // Schawb v. Corrente, et al. Settlement domain
37          "schwabmoneywise.com",
38          "schwabe.com", // law firm with name
39          "proxyvote.com", // sends shareholder voting information with subject of company name
40          "boheme-schwabing.de", // steakhouse
41          "lesschwab.com", // tire sales
42          "schwab-marketing.com", // German Marketing Agency
43          "schwaben.ca" // unrelated but similar domain
44        )
45        or sender.email.domain.domain in ("schwabebooks.ccsend.com")
46      )
47      and headers.auth_summary.dmarc.pass
48    )
49  )
50  // and the sender is not from high trust sender root domains
51  and (
52    (
53      sender.email.domain.root_domain in $high_trust_sender_root_domains
54      and not headers.auth_summary.dmarc.pass
55    )
56    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57  )
58  and not profile.by_sender().solicited  
59
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Impersonation: Brand"
64  - "Lookalike domain"
65  - "Social engineering"
66detection_methods:
67  - "Header analysis"
68  - "Sender analysis"
69id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
to-top