Brand impersonation: Twitter

calendar Nov 21, 2023  ยท
Share on: linkedin copy

Impersonation of Twitter

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Twitter"
 2description: |
 3    Impersonation of Twitter
 4references:
 5  - "https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    sender.display_name =~ "twitter"
12    or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
13    or strings.ilike(sender.email.domain.domain, '*twitter*')
14  )
15  and sender.email.domain.domain not in~ ('twitter.com', 'privaterelay.appleid.com', 'stripe.com', 'x.com', 'twitter.discoursemail.com')
16  and sender.email.email not in $recipient_emails  
17attack_types:
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Impersonation: Brand"
21  - "Lookalike domain"
22  - "Social engineering"
23detection_methods:
24  - "Sender analysis"
25id: "013c32c2-fa05-5456-9c45-284e008ff6a4"
to-top