Brand impersonation: Wells Fargo
Impersonation of Wells Fargo Bank.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Wells Fargo"
2description: |
3 Impersonation of Wells Fargo Bank.
4references:
5 - "https://www.americanbanker.com/news/wells-fargo-customers-targeted-with-phishing-attacks-using-calendar-invites"
6 - "https://www.wellsfargo.com/biz/help/faqs/credit-card-rewards/"
7type: "rule"
8severity: "high"
9source: |
10 type.inbound
11 and (
12 sender.display_name =~ 'wellsfargo'
13 or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'wellsfargo') <= 1
14 or regex.icontains(strings.replace_confusables(sender.display_name), 'we(ll|ii)s?\s?farg(o|o͙)')
15 or strings.ilike(sender.email.domain.domain, '*wellsfargo*')
16 or strings.ilike(subject.subject, '*wells fargo security*')
17 or strings.ilike(body.plain.raw, '*wells fargo security team*')
18 or strings.ilike(body.html.inner_text, '*wells fargo security team*')
19 )
20 and sender.email.domain.root_domain not in~ (
21 'wellsfargo.com',
22 'wellsfargoadvisors.com',
23 'transunion.com',
24 'wellsfargoemail.com',
25 'wellsfargorewards.com',
26 'comcast-spectacor.com',
27 'investordelivery.com',
28 'comcastspectacor.com',
29 'wfadvisors.com',
30 'wellsfargomerchantservicesllc.com'
31 )
32 and sender.email.email not in $recipient_emails
33
34 // negate highly trusted sender domains unless they fail DMARC authentication
35 and (
36 (
37 sender.email.domain.root_domain in $high_trust_sender_root_domains
38 and not headers.auth_summary.dmarc.pass
39 )
40 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
41 or sender.email.email in ("drive-shares-noreply@google.com", "drive-shares-dm-noreply@google.com") // Google Drive abuse has been observed
42 )
43
44attack_types:
45 - "Credential Phishing"
46tactics_and_techniques:
47 - "Impersonation: Brand"
48 - "Lookalike domain"
49 - "Social engineering"
50detection_methods:
51 - "Content analysis"
52 - "Sender analysis"
53id: "02d7301f-cc29-5031-9a1e-f013400805ba"