Brand impersonation: Wise with suspicious attachment

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Impersonating Wise Financial, as confirmed by NLU, and contains a suspicious attachment type.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Wise with suspicious attachment"
 2description: |
 3    Impersonating Wise Financial, as confirmed by NLU, and contains a suspicious attachment type.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*wise*')
10    or strings.ilike(sender.email.domain.domain, '*wise*')
11  )
12  and any(ml.nlu_classifier(body.current_thread.text).tags, .name in ("payment", "invoice"))
13  and any(attachments,
14          .file_type in $file_extensions_common_archives
15          or .file_type in $file_extensions_executables
16          or .file_type in $file_extensions_macros
17          or .file_type in ("lz")
18  )
19  and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs')  
20attack_types:
21  - "Credential Phishing"
22tactics_and_techniques:
23  - "Impersonation: Brand"
24  - "Social engineering"
25detection_methods:
26  - "Content analysis"
27  - "Natural Language Understanding"
28  - "Sender analysis"
29id: "01480f95-dc1e-5b9a-a360-96bfee663c39"
to-top