Brand impersonation: Wells Fargo

Impersonation of Wells Fargo Bank.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Wells Fargo"
 2description: |
 3    Impersonation of Wells Fargo Bank.
 4references:
 5  - "https://www.americanbanker.com/news/wells-fargo-customers-targeted-with-phishing-attacks-using-calendar-invites"
 6  - "https://www.wellsfargo.com/biz/help/faqs/credit-card-rewards/"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and (
12    sender.display_name =~ 'wellsfargo'
13    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14                            'wellsfargo'
15    ) <= 1
16    or regex.icontains(strings.replace_confusables(sender.display_name),
17                       'we(ll|ii)s?\s?farg(o|o͙)'
18    )
19    or strings.ilike(sender.email.domain.domain, '*wellsfargo*')
20    or strings.ilike(subject.subject, '*wells fargo security*')
21    or strings.ilike(body.plain.raw, '*wells fargo security team*')
22    or strings.ilike(body.html.inner_text, '*wells fargo security team*')
23  )
24  and sender.email.domain.root_domain not in~ (
25    'wellsfargo.com',
26    'wellsfargoadvisors.com',
27    'transunion.com',
28    'wellsfargoemail.com',
29    'wellsfargorewards.com',
30    'comcast-spectacor.com',
31    'investordelivery.com',
32    'comcastspectacor.com',
33    'wfadvisors.com',
34    'wellsfargomerchantservicesllc.com'
35  )
36  and (
37    sender.email.email not in $recipient_emails
38    or regex.icontains(sender.email.email, "no.?reply")
39  )
40  
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48    or sender.email.email in (
49      "drive-shares-noreply@google.com",
50      "drive-shares-dm-noreply@google.com"
51    ) // Google Drive abuse has been observed
52  )  
53attack_types:
54  - "Credential Phishing"
55tactics_and_techniques:
56  - "Impersonation: Brand"
57  - "Lookalike domain"
58  - "Social engineering"
59detection_methods:
60  - "Content analysis"
61  - "Sender analysis"
62id: "02d7301f-cc29-5031-9a1e-f013400805ba"
to-top