Brand impersonation: Twitter
Impersonation of Twitter
Sublime rule (View on GitHub)
1name: "Brand impersonation: Twitter"
2description: |
3 Impersonation of Twitter
4references:
5 - "https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 sender.display_name =~ "twitter"
12 or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
13 or strings.ilike(sender.email.domain.domain, '*twitter*')
14 )
15 and sender.email.domain.domain not in~ ('twitter.com', 'privaterelay.appleid.com', 'stripe.com', 'x.com', 'twitter.discoursemail.com')
16 // negate Hearsay Systems which sends notificaitons from sender domain ending in twitter.com
17 and not (
18 strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
19 and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
20 )
21 and sender.email.email not in $recipient_emails
22attack_types:
23 - "Credential Phishing"
24tactics_and_techniques:
25 - "Impersonation: Brand"
26 - "Lookalike domain"
27 - "Social engineering"
28detection_methods:
29 - "Sender analysis"
30id: "013c32c2-fa05-5456-9c45-284e008ff6a4"