Brand impersonation: Venmo

 1name: "Brand impersonation: Venmo"
 2description: |
 3    Impersonation of Venmo
 4references:
 5  - "https://whnt.com/taking-action/bbb-consumer-alerts/new-venmo-scam-tricks-users/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*venmo*')
12    or strings.ilevenshtein(sender.display_name, 'venmo') <= 1
13  )
14  and sender.email.domain.root_domain not in~ (
15    'venmo.com',
16    'synchronybank.com',
17    'venmocreditsurvey.com',
18    'venmo-experience.com',
19    'synchrony.com'
20  )
21  
22  // and not if the sender.display.name contains "via" and dmarc pass from venmo.com
23  and not (
24    (
25      headers.auth_summary.dmarc.pass
26      and headers.auth_summary.dmarc.details.from.root_domain == "venmo.com"
27    )
28    and strings.contains(sender.display_name, "via")
29  )
30  
31  // negate highly trusted sender domains unless they fail DMARC authentication
32  and (
33    (
34      sender.email.domain.root_domain in $high_trust_sender_root_domains
35      and not headers.auth_summary.dmarc.pass
36    )
37    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38  )
39  
40  // and no false positives and not solicited
41  and (
42    not profile.by_sender().any_messages_benign
43    and not profile.by_sender().solicited
44  )  
45attack_types:
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Impersonation: Brand"
49  - "Lookalike domain"
50  - "Social engineering"
51detection_methods:
52  - "Sender analysis"
53id: "0ab15d4f-865f-518c-b54d-81043399e6f2"