Brand impersonation: Charles Schwab

Impersonation of Charles Schwab & Co

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Charles Schwab"
 2description: "Impersonation of Charles Schwab & Co"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains charles schwab
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*charles schwab*'
12      )
13      // no spaces
14      or strings.ilike(strings.replace_confusables(sender.display_name),
15                       '*charlesschwab*'
16      )
17      // levenshtein distince similar to schwab
18      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19                              'charles schwab'
20      ) <= 1
21      // sender domain contains schwab
22      or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23                       '*schwab*'
24      )
25    )
26  )
27  
28  // and the sender is not in org_domains or from charles shwab domains and passes auth
29  and not (
30    sender.email.domain.root_domain in $org_domains
31    or (
32      (
33        sender.email.domain.root_domain in (
34          "schwab.com",
35          "aboutschwab.com.",
36          "schwabcorrentesettlement.com", // Schawb v. Corrente, et al. Settlement domain
37          "schwabmoneywise.com",
38          "schwabe.com", // law firm with name
39          "proxyvote.com", // sends shareholder voting information with subject of company name
40          "boheme-schwabing.de", // steakhouse
41          "lesschwab.com", // tire sales
42          "schwab-marketing.com" // German Marketing Agency
43       )
44        or sender.email.domain.domain in ("schwabebooks.ccsend.com")
45      )
46      and headers.auth_summary.dmarc.pass
47    )
48  )
49  // and the sender is not from high trust sender root domains
50  and (
51    (
52      sender.email.domain.root_domain in $high_trust_sender_root_domains
53      and not headers.auth_summary.dmarc.pass
54    )
55    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56  )
57  and not profile.by_sender().solicited  
58
59attack_types:
60  - "Credential Phishing"
61tactics_and_techniques:
62  - "Impersonation: Brand"
63  - "Lookalike domain"
64  - "Social engineering"
65detection_methods:
66  - "Header analysis"
67  - "Sender analysis"
68id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
to-top