Brand impersonation: Twitter

 1name: "Brand impersonation: Twitter"
 2description: |
 3    Impersonation of Twitter.
 4references:
 5  - "https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    // Twitter logic
12    (
13      sender.display_name =~ "twitter"
14      or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
15      or strings.ilike(sender.email.domain.domain, '*twitter*')
16    )
17    // "X" logic
18    or (
19      any(ml.logo_detect(beta.message_screenshot()).brands,
20          .name == "X" and .confidence == "high"
21      )
22      and (
23        any(ml.nlu_classifier(body.current_thread.text).intents,
24            .name == "cred_theft" and .confidence == "high"
25        )
26        or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
27            .name == "cred_theft" and .confidence == "high"
28        )
29      )
30      and any(beta.ml_topic(body.current_thread.text).topics,
31              .name in (
32                "Reminders and Notifications",
33                "Security and Authentication",
34                "Legal and Compliance"
35              )
36      )
37    )
38  )
39  and sender.email.domain.domain not in~ (
40    'twitter.com',
41    'privaterelay.appleid.com',
42    'stripe.com',
43    'x.com',
44    'twitter.discoursemail.com'
45  )
46  // negate Hearsay Systems which sends notificaitons from sender domain ending in twitter.com
47  and not (
48    strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
49    and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
50  )
51  and sender.email.email not in $recipient_emails  
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Impersonation: Brand"
56  - "Lookalike domain"
57  - "Social engineering"
58detection_methods:
59  - "Sender analysis"
60id: "013c32c2-fa05-5456-9c45-284e008ff6a4"