Brand impersonation: Venmo

 1name: "Brand impersonation: Venmo"
 2description: |
 3    Impersonation of Venmo
 4references:
 5  - "https://whnt.com/taking-action/bbb-consumer-alerts/new-venmo-scam-tricks-users/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*venmo*')
12    or strings.ilevenshtein(sender.display_name, 'venmo') <= 1
13  )
14  and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com', 'venmo-experience.com')
15  
16  // and not if the sender.display.name contains "via" and dmarc pass from venmo.com
17  and not (
18    (
19      headers.auth_summary.dmarc.pass
20      and headers.auth_summary.dmarc.details.from.root_domain == "venmo.com"
21    )
22    and strings.contains(sender.display_name, "via")
23  )
24
25  // negate highly trusted sender domains unless they fail DMARC authentication
26  and (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and not headers.auth_summary.dmarc.pass
30    )
31    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32  )
33
34  // and no false positives and not solicited
35  and (
36    not profile.by_sender().any_false_positives
37    and not profile.by_sender().solicited
38  )
39    
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Impersonation: Brand"
44  - "Lookalike domain"
45  - "Social engineering"
46detection_methods:
47  - "Sender analysis"
48id: "0ab15d4f-865f-518c-b54d-81043399e6f2"