Brand impersonation: Twitter

 1name: "Brand impersonation: Twitter"
 2description: |
 3    Impersonation of Twitter.
 4references:
 5  - "https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    // Twitter logic
12    (
13      sender.display_name =~ "twitter"
14      or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
15      or strings.ilike(sender.email.domain.domain, '*twitter*')
16    )
17    // "X" logic
18    or (
19      (
20        3 of (
21          strings.iends_with(sender.email.domain.root_domain, "-x.com"),
22          strings.icontains(sender.email.local_part, "x-corp"),
23          any(body.links,
24              strings.iends_with(.href_url.domain.root_domain, "-x.com")
25              or strings.istarts_with(.href_url.domain.subdomain, "x-corp")
26          ),
27          strings.ilike(body.current_thread.text,
28                        "*content dispute*",
29                        "*copyright*",
30                        "*appeal*"
31          ),
32          strings.contains(body.current_thread.text, '1355 Market Street'),
33          strings.contains(body.current_thread.text, 'San Francisco, CA 94103'),
34          strings.contains(body.current_thread.text, 'X Corp'),
35          strings.ilike(body.current_thread.text, '*865 FM 1209*bastrop*')
36        )
37        or (
38          length(ml.logo_detect(file.message_screenshot()).brands) == 1
39          and any(ml.logo_detect(file.message_screenshot()).brands,
40                  .name == "X" and .confidence == "high"
41          )
42          and (
43            any(ml.nlu_classifier(body.current_thread.text).intents,
44                .name == "cred_theft" and .confidence == "high"
45            )
46            or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
47                   .name == "cred_theft" and .confidence == "high"
48            )
49          )
50        )
51      )
52      and any(beta.ml_topic(body.current_thread.text).topics,
53              .name in (
54                "Reminders and Notifications",
55                "Security and Authentication",
56                "Legal and Compliance",
57                "Customer Service and Support"
58              )
59      )
60    )
61  )
62  and sender.email.domain.domain not in~ (
63    'twitter.com',
64    'privaterelay.appleid.com',
65    'stripe.com',
66    'x.com',
67    'twitter.discoursemail.com',
68    'slack.com'
69  )
70  // negate Hearsay Systems which sends notifications from sender domain ending in twitter.com
71  and not (
72    strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
73    and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
74  )
75  and sender.email.email not in $recipient_emails  
76
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Impersonation: Brand"
81  - "Lookalike domain"
82  - "Social engineering"
83detection_methods:
84  - "Sender analysis"
85id: "013c32c2-fa05-5456-9c45-284e008ff6a4"