Brand Impersonation: Coinbase with suspicious links

 1name: "Brand Impersonation: Coinbase with suspicious links"
 2description: |
 3    Detects messages impersonating Coinbase with low reputation or url shortened links.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and sender.email.domain.root_domain != "coinbase.com"
 9
10  // more than 0 less than 5 links
11  and 0 < length(body.links) < 5
12
13  // none of the links are to coinbase.com
14  and all(body.links, .href_url.domain.root_domain != "coinbase.com")
15
16  // low rep or url shortened links found
17  and any(body.links,
18          .href_url.domain.domain in $url_shorteners
19
20          // exempting legitimate Google Maps shortener
21          and (
22            not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
23            or (
24              .href_url.domain.domain not in $tranco_1m
25              or .href_url.domain.domain in $free_file_hosts
26              or .href_url.domain.root_domain in $free_subdomain_hosts
27              or .href_url.domain.domain in $url_shorteners
28              or 
29
30              // mass mailer link, masks the actual URL
31              .href_url.domain.root_domain in (
32                "hubspotlinks.com",
33                "mandrillapp.com",
34                "sendgrid.net",
35              )
36            )
37          )
38  )
39  // Coinbase logo
40  and (
41    any(attachments,
42        .file_type in $file_types_images and any(ml.logo_detect(.).brands, .name == "Coinbase")
43    )
44    or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Coinbase")
45  )  
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Evasion"
50  - "Free subdomain host"
51  - "Image as content"
52  - "Impersonation: Brand"
53detection_methods:
54  - "Computer Vision"
55  - "Content analysis"
56  - "File analysis"
57  - "URL analysis"
58id: "b61e2f8e-ab8e-5212-ab20-c294babfc6d9"