Brand impersonation: Coinbase with suspicious links
Detects messages impersonating Coinbase with low reputation or url shortened links.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Coinbase with suspicious links"
2description: |
3 Detects messages impersonating Coinbase with low reputation or url shortened links.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and sender.email.domain.root_domain != "coinbase.com"
9
10 // more than 0 less than 5 links
11 and 0 < length(body.links) < 5
12
13 // none of the links are to coinbase.com
14 and all(body.links, .href_url.domain.root_domain != "coinbase.com")
15
16 // low rep or url shortened links found
17 and any(body.links,
18 .href_url.domain.domain in $url_shorteners
19 or .href_url.domain.domain in $social_landing_hosts
20
21 // exempting legitimate Google Maps shortener
22 and (
23 not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
24 or (
25 .href_url.domain.domain not in $tranco_1m
26 or .href_url.domain.domain in $free_file_hosts
27 or .href_url.domain.root_domain in $free_file_hosts
28 or .href_url.domain.root_domain in $free_subdomain_hosts
29 or .href_url.domain.domain in $url_shorteners
30 or .href_url.domain.domain in $social_landing_hosts
31 or
32
33 // mass mailer link, masks the actual URL
34 .href_url.domain.root_domain in (
35 "hubspotlinks.com",
36 "mandrillapp.com",
37 "sendgrid.net",
38 )
39 )
40 )
41 )
42 // Coinbase logo
43 and (
44 any(attachments,
45 .file_type in $file_types_images
46 and any(ml.logo_detect(.).brands, .name == "Coinbase")
47 )
48 or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Coinbase")
49 )
50
51attack_types:
52 - "Credential Phishing"
53tactics_and_techniques:
54 - "Evasion"
55 - "Free subdomain host"
56 - "Image as content"
57 - "Impersonation: Brand"
58detection_methods:
59 - "Computer Vision"
60 - "Content analysis"
61 - "File analysis"
62 - "URL analysis"
63id: "b61e2f8e-ab8e-5212-ab20-c294babfc6d9"