Brand impersonation: Silicon Valley Bank

Detects emails that impersonate Silicon Valley Bank

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Silicon Valley Bank"
 2description: "Detects emails that impersonate Silicon Valley Bank"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.email.domain.domain, "(silicon(e)?.{0,10}(valley|bank)|svb)")
 9    or strings.ilevenshtein(sender.display_name, 'svb') <= 1
10  )
11  and network.whois(sender.email.domain).days_old <= 30  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Impersonation: Brand"
16  - "Lookalike domain"
17  - "Social engineering"
18detection_methods:
19  - "Sender analysis"
20  - "Whois"
21id: "a01f61d9-a01a-548c-9a48-49f8d3732d05"
to-top