Brand impersonation: Spotify

 1name: "Brand impersonation: Spotify"
 2description: |
 3    Impersonation of Spotify.
 4references:
 5  - "https://www.phishprotection.com/blog/the-latest-popular-service-to-serve-you-up-phishing-emails-spotify/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*spotify*')
12    or strings.ilevenshtein(sender.display_name, 'spotify') <= 1
13    or strings.ilike(sender.email.domain.domain, '*spotify*')
14    or (
15      regex.icontains(body.current_thread.text, 'Spotify AB\b')
16      and any(ml.logo_detect(file.message_screenshot()).brands,
17              .name == "Spotify" and .confidence != "low"
18      )
19    )
20  )
21  and sender.email.domain.root_domain not in~ (
22    'spotify.com',
23    'byspotify.com',
24    'echosign.com',
25    'fromspotify.com',
26    'anchor.fm'
27  )
28  and sender.email.domain.domain not in~ ('privaterelay.appleid.com')
29  and (
30    profile.by_sender().prevalence in ("new", "outlier")
31    or (
32      profile.by_sender().any_messages_malicious_or_spam
33      and not profile.by_sender().any_messages_benign
34    )
35  )
36
37  // negate highly trusted sender domains unless they fail DMARC authentication
38  and (
39    (
40      sender.email.domain.root_domain in $high_trust_sender_root_domains
41      and not headers.auth_summary.dmarc.pass
42    )
43    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
44  )  
45
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Lookalike domain"
51  - "Social engineering"
52detection_methods:
53  - "Sender analysis"
54id: "70e80f91-179d-51dc-9bbd-75f1bc6f9bb3"