Brand impersonation: Charles Schwab
Impersonation of Charles Schwab & Co
Sublime rule (View on GitHub)
1name: "Brand impersonation: Charles Schwab"
2description: "Impersonation of Charles Schwab & Co"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains charles schwab
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*charles schwab*'
12 )
13 // no spaces
14 or strings.ilike(strings.replace_confusables(sender.display_name),
15 '*charlesschwab*'
16 )
17 // levenshtein distince similar to schwab
18 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19 'charles schwab'
20 ) <= 1
21 // sender domain contains schwab
22 or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23 '*schwab*'
24 )
25 )
26 )
27
28 // and the sender is not in org_domains or from charles shwab domains and passes auth
29 and not (
30 sender.email.domain.root_domain in $org_domains
31 or (
32 (
33 sender.email.domain.root_domain in (
34 "schwab.com",
35 "aboutschwab.com.",
36 "schwabmoneywise.com",
37 "schwabe.com", // law firm with name
38 "proxyvote.com", // sends shareholder voting information with subject of company name
39 "boheme-schwabing.de", // steakhouse
40 "lesschwab.com", // tire sales
41 )
42 or sender.email.domain.domain in ("schwabebooks.ccsend.com")
43 )
44 and headers.auth_summary.dmarc.pass
45 )
46 )
47 // and the sender is not from high trust sender root domains
48 and (
49 (
50 sender.email.domain.root_domain in $high_trust_sender_root_domains
51 and not headers.auth_summary.dmarc.pass
52 )
53 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54 )
55 and not profile.by_sender().solicited
56
57attack_types:
58 - "Credential Phishing"
59tactics_and_techniques:
60 - "Impersonation: Brand"
61 - "Lookalike domain"
62 - "Social engineering"
63detection_methods:
64 - "Header analysis"
65 - "Sender analysis"
66id: "7abde595-bd69-5b79-8031-2c5a12b1767e"