Brand impersonation: Venmo

 1name: "Brand impersonation: Venmo"
 2description: |
 3    Impersonation of Venmo
 4references:
 5  - "https://whnt.com/taking-action/bbb-consumer-alerts/new-venmo-scam-tricks-users/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*venmo*')
12    or strings.ilevenshtein(sender.display_name, 'venmo') <= 1
13    or strings.ilike(sender.email.domain.domain, '*venmo*')
14  )
15  and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com', 'venmo-experience.com')
16  and sender.email.email not in $recipient_emails
17  
18  // and not if the sender.display.name contains "via" and dmarc pass from venmo.com
19  and not (
20    any(distinct(headers.hops, .authentication_results.dmarc is not null),
21        strings.ilike(.authentication_results.dmarc, "pass")
22        and .authentication_results.dmarc_details.from.domain == "venmo.com"
23    )
24    and strings.contains(sender.display_name, "via")
25  )  
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Impersonation: Brand"
30  - "Lookalike domain"
31  - "Social engineering"
32detection_methods:
33  - "Sender analysis"
34id: "0ab15d4f-865f-518c-b54d-81043399e6f2"