Brand impersonation: Vanta

calendar Aug 28, 2023  ยท
Share on: linkedin copy

Impersonation of Vanta.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Vanta"
 2description: |
 3    Impersonation of Vanta.
 4type: "rule"
 5severity: "low"
 6authors:
 7  - twitter: "itsRobPicard"
 8source: |
 9  type.inbound
10  and (
11    regex.imatch(sender.display_name, '\bvanta\b')
12    or strings.ilike(sender.email.local_part, '*vanta*')
13    or strings.ilevenshtein(sender.email.domain.sld, 'vanta') <= 1
14  )
15  and not (
16    strings.ilike(sender.display_name, '*advantage*')
17    or strings.ilike(sender.email.email, '*advantage*')
18    or strings.ilevenshtein(sender.email.domain.sld, 'advantage') <= 1
19  )
20  and sender.email.domain.root_domain in $free_email_providers
21  and sender.email.email not in $sender_emails  
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Impersonation: Brand"
26  - "Lookalike domain"
27  - "Social engineering"
28detection_methods:
29  - "Sender analysis"
30id: "883d4382-11a6-5924-9e3e-2cb5a11c3f56"
to-top