Brand impersonation: Wells Fargo

calendar Apr 15, 2026  ·
Share on: linkedin copy

Impersonation of Wells Fargo Bank.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Wells Fargo"
 2description: |
 3    Impersonation of Wells Fargo Bank.
 4references:
 5  - "https://www.americanbanker.com/news/wells-fargo-customers-targeted-with-phishing-attacks-using-calendar-invites"
 6  - "https://www.wellsfargo.com/biz/help/faqs/credit-card-rewards/"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and (
12    sender.display_name =~ 'wellsfargo'
13    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14                            'wellsfargo'
15    ) <= 1
16    or regex.icontains(strings.replace_confusables(sender.display_name),
17                       'we(ll|ii)s?\s?farg(o|o͙)'
18    )
19    or strings.ilike(sender.email.domain.domain, '*wellsfargo*')
20    or strings.ilike(subject.subject, '*wells fargo security*')
21    or strings.ilike(body.plain.raw, '*wells fargo security team*')
22    or strings.ilike(body.html.inner_text, '*wells fargo security team*')
23    // Wells Fargo & Company (WFC)
24    or (
25      regex.icontains(sender.display_name, '\bW.?F.?C\b')
26      and any([sender.display_name, subject.base],
27              strings.ilike(.,
28                            '*bank*',
29                            '*security*',
30                            '*processing*',
31                            '*approval*',
32                            '*refund*'
33              )
34      )
35    )
36  )
37  and sender.email.domain.root_domain not in~ (
38    'wellsfargo.com',
39    'wellsfargoadvisors.com',
40    'transunion.com',
41    'wellsfargoemail.com',
42    'wellsfargorewards.com',
43    'comcast-spectacor.com',
44    'investordelivery.com',
45    'comcastspectacor.com',
46    'wfadvisors.com',
47    'wellsfargomerchantservicesllc.com'
48  )
49  and (
50    sender.email.email not in $recipient_emails
51    or regex.icontains(sender.email.email, "no.?reply")
52  )
53  
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61    or sender.email.email in (
62      "drive-shares-noreply@google.com",
63      "drive-shares-dm-noreply@google.com"
64    ) // Google Drive abuse has been observed
65  )  
66attack_types:
67  - "Credential Phishing"
68tactics_and_techniques:
69  - "Impersonation: Brand"
70  - "Lookalike domain"
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "Sender analysis"
75id: "02d7301f-cc29-5031-9a1e-f013400805ba"
to-top