Brand impersonation: Twitter
Impersonation of Twitter.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Twitter"
2description: |
3 Impersonation of Twitter.
4references:
5 - "https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 // Twitter logic
12 (
13 sender.display_name =~ "twitter"
14 or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
15 or strings.ilike(sender.email.domain.domain, '*twitter*')
16 )
17 // "X" logic
18 or (
19 (
20 3 of (
21 strings.iends_with(sender.email.domain.root_domain, "-x.com"),
22 any(body.links, strings.iends_with(.href_url.domain.root_domain, "-x.com")),
23 strings.ilike(body.current_thread.text,
24 "*content dispute*",
25 "*copyright*",
26 "*appeal*"
27 ),
28 strings.contains(body.current_thread.text, '1355 Market Street'),
29 strings.ilike(body.current_thread.text, '*865 FM 1209*bastrop*')
30 )
31 or (
32 length(ml.logo_detect(beta.message_screenshot()).brands) == 1
33 and any(ml.logo_detect(beta.message_screenshot()).brands,
34 .name == "X" and .confidence == "high"
35 )
36 and (
37 any(ml.nlu_classifier(body.current_thread.text).intents,
38 .name == "cred_theft" and .confidence == "high"
39 )
40 or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
41 .name == "cred_theft" and .confidence == "high"
42 )
43 )
44 )
45 )
46 and any(beta.ml_topic(body.current_thread.text).topics,
47 .name in (
48 "Reminders and Notifications",
49 "Security and Authentication",
50 "Legal and Compliance",
51 "Customer Service and Support"
52 )
53 )
54 )
55 )
56 and sender.email.domain.domain not in~ (
57 'twitter.com',
58 'privaterelay.appleid.com',
59 'stripe.com',
60 'x.com',
61 'twitter.discoursemail.com',
62 'slack.com'
63 )
64 // negate Hearsay Systems which sends notifications from sender domain ending in twitter.com
65 and not (
66 strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
67 and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
68 )
69 and sender.email.email not in $recipient_emails
70attack_types:
71 - "Credential Phishing"
72tactics_and_techniques:
73 - "Impersonation: Brand"
74 - "Lookalike domain"
75 - "Social engineering"
76detection_methods:
77 - "Sender analysis"
78id: "013c32c2-fa05-5456-9c45-284e008ff6a4"