Brand Impersonation: Coinbase with suspicious links
Detects messages impersonating Coinbase with low reputation or url shortened links.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Coinbase with suspicious links"
2description: |
3 Detects messages impersonating Coinbase with low reputation or url shortened links.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and sender.email.domain.root_domain != "coinbase.com"
9
10 // more than 0 less than 5 links
11 and 0 < length(body.links) < 5
12
13 // none of the links are to coinbase.com
14 and all(body.links, .href_url.domain.root_domain != "coinbase.com")
15
16 // low rep or url shortened links found
17 and any(body.links,
18 .href_url.domain.domain in $url_shorteners
19
20 // exempting legitimate Google Maps shortener
21 and (
22 not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
23 or (
24 .href_url.domain.domain not in $tranco_1m
25 or .href_url.domain.domain in $free_file_hosts
26 or .href_url.domain.root_domain in $free_file_hosts
27 or .href_url.domain.root_domain in $free_subdomain_hosts
28 or .href_url.domain.domain in $url_shorteners
29 or
30
31 // mass mailer link, masks the actual URL
32 .href_url.domain.root_domain in (
33 "hubspotlinks.com",
34 "mandrillapp.com",
35 "sendgrid.net",
36 )
37 )
38 )
39 )
40 // Coinbase logo
41 and (
42 any(attachments,
43 .file_type in $file_types_images
44 and any(ml.logo_detect(.).brands, .name == "Coinbase")
45 )
46 or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Coinbase")
47 )
48
49attack_types:
50 - "Credential Phishing"
51tactics_and_techniques:
52 - "Evasion"
53 - "Free subdomain host"
54 - "Image as content"
55 - "Impersonation: Brand"
56detection_methods:
57 - "Computer Vision"
58 - "Content analysis"
59 - "File analysis"
60 - "URL analysis"
61id: "b61e2f8e-ab8e-5212-ab20-c294babfc6d9"