Brand impersonation: Vanta

Apr 23, 2024 ·
Impersonation of Vanta.
Sublime rule (View on GitHub)

 1name: "Brand impersonation: Vanta"
 2description: |
 3    Impersonation of Vanta.
 4type: "rule"
 5severity: "low"
 6authors:
 7  - twitter: "itsRobPicard"
 8source: |
 9  type.inbound
10  and (
11    regex.imatch(sender.display_name, '\bvanta\b')
12    or regex.imatch(sender.email.local_part, '(\b)vanta|vanta(\b)')
13    or strings.ilevenshtein(sender.email.domain.sld, 'vanta') <= 1
14  )
15  and not (
16    strings.ilike(sender.display_name, '*advantage*')
17    or strings.ilike(sender.email.email, '*advantage*')
18    or strings.ilevenshtein(sender.email.domain.sld, 'advantage') <= 1
19  )
20  and sender.email.domain.root_domain in $free_email_providers
21  and sender.email.email not in $sender_emails
22  
23  // negate highly trusted sender domains unless they fail DMARC authentication
24  and (
25    (
26      sender.email.domain.root_domain in $high_trust_sender_root_domains
27      and not headers.auth_summary.dmarc.pass
28    )
29    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
30  )  
31
32
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Impersonation: Brand"
37  - "Lookalike domain"
38  - "Social engineering"
39detection_methods:
40  - "Sender analysis"
41id: "883d4382-11a6-5924-9e3e-2cb5a11c3f56"