Service abuse: Trello board invitation with VIP impersonation

 1name: "Service abuse: Trello board invitation with VIP impersonation"
 2description: "Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "trello.com"
 8  and any(headers.hops,
 9          any(.fields,
10              .name =~ "X-Msys-Api"
11              and strings.icontains(.value, 'campaign_id":"invite_board_')
12          )
13  )
14  
15  // inspect the body for two observed patterns
16  and (
17      // org_sld as the start of the board name with the org_vip as the sender
18    any(html.xpath(body.html, '//h2').nodes,
19        // org vip
20        any($org_vips, strings.icontains(..display_text, .display_name))
21        // org sld as the board name
22        and any($org_slds,
23                strings.icontains(..display_text,
24                                  strings.concat('invited you to their board ', .)
25                )
26        )
27    )
28    // pattern of the first name ending in `From` after the org_vip display name
29    or any(html.xpath(body.html,
30                      '//div[img[@class="trello-member-avatar"]]/parent::div'
31           ).nodes,
32           strings.starts_with(.display_text, 'A note from ')
33           and strings.iends_with(.display_text, 'From')
34           and any($org_vips, strings.icontains(..display_text, .display_name))
35    )
36  )  
37
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Impersonation: VIP"
42  - "Social engineering"
43detection_methods:
44  - "Content analysis"
45  - "Header analysis"
46  - "HTML analysis"
47  - "Sender analysis"
48id: "fedfc94b-4a33-57e0-a891-1af92aec6ddb"