-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create impersonation_capitalone.yml by @zoomequipd #2151 Source SHA 08a1b08 Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 22, 2024
1 parent
a79a425
commit a792506
Showing
1 changed file
with
18 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| name: "Brand Impersonation: Capital One " | ||
| description: "This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders." | ||
| type: "rule" | ||
| severity: "" | ||
| source: "type.inbound\nand \n // display name contains captialone\n (\n strings.icontains(strings.replace_confusables(sender.display_name),\n 'Capital One'\n )\n // no spaces\n or strings.icontains(strings.replace_confusables(sender.display_name),\n 'Capital One'\n )\n // levenshtein distince similar to captial one\n or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n 'Capital One'\n ) <= 2\n // sender localpart contains captialone\n or strings.icontains(strings.replace_confusables(sender.email.local_part),\n 'capitalone'\n )\n // indicators in the footer\n or strings.ilike(strings.replace_confusables(body.current_thread.text),\n 'Capital One Financial Corp'\n )\n or strings.ilike(strings.replace_confusables(body.current_thread.text),\n '1680 Capital One Drive'\n )\n or any(ml.logo_detect(beta.message_screenshot()).brands, .name == \"Capital One Bank\" and .confidence != \"low\")\n \n)\nand not (\n sender.email.domain.root_domain in $org_domains\n or (\n sender.email.domain.root_domain in (\n \"capitalone.com\",\n \"capitaloneshopping.com\",\n \"capitalonesoftware.com\",\n \"olbanking.com\", // a fiserv.one domain\n \"bynder.com\", // Digital Assest Mgmt\n \"gcs-web.com\", // investor relations run by capital one\n \"capitalonearena.com\", // the arena\n \"monumentalsports.com\", // the company that owns a bunch of teams that play at the arena?\n )\n and headers.auth_summary.dmarc.pass\n )\n)\n\n// and the sender is not from high trust sender root domains\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| - "Lookalike domain" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Computer Vision" | ||
| - "Sender analysis" | ||
| - "Header analysis" | ||
| id: "d53848e4-fc40-5bd1-ad5e-c9c4e85a669f" | ||
| testing_pr: 2151 | ||
| testing_sha: 08a1b0833c38627a22731582d818d53e61bc1309 |