Brand impersonation: Charles Schwab

Impersonation of Charles Schwab & Co

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Charles Schwab"
 2description: "Impersonation of Charles Schwab & Co"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains charles schwab
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*charles schwab*'
12      )
13      // no spaces
14      or strings.ilike(strings.replace_confusables(sender.display_name),
15                       '*charlesschwab*'
16      )
17      // levenshtein distince similar to schwab
18      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19                              'charles schwab'
20      ) <= 1
21      // sender domain contains schwab
22      or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
23                       '*schwab*'
24      )
25    )
26  )
27  
28  // and the sender is not in org_domains or from charles shwab domains and passes auth
29  and not (
30    sender.email.domain.root_domain in $org_domains
31    or (
32      (
33        sender.email.domain.root_domain in (
34          "schwab.com",
35          "aboutschwab.com.",
36          "schwabmoneywise.com",
37          "schwabe.com", // law firm with name
38          "proxyvote.com", // sends shareholder voting information with subject of company name
39          "boheme-schwabing.de", // steakhouse
40          "lesschwab.com", // tire sales
41       )
42        or sender.email.domain.domain in ("schwabebooks.ccsend.com")
43      )
44      and headers.auth_summary.dmarc.pass
45    )
46  )
47  // and the sender is not from high trust sender root domains
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )
55  and not profile.by_sender().solicited  
56
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Impersonation: Brand"
61  - "Lookalike domain"
62  - "Social engineering"
63detection_methods:
64  - "Header analysis"
65  - "Sender analysis"
66id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
to-top