From bba5af5e04c875af5fb834dc7c867f2a8cafba71 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 25 Nov 2024 17:20:11 -0500
Subject: [PATCH 1/4] Create brand_impersonation_bbb.yml

---
 detection-rules/brand_impersonation_bbb.yml | 43 +++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 detection-rules/brand_impersonation_bbb.yml

diff --git a/detection-rules/brand_impersonation_bbb.yml b/detection-rules/brand_impersonation_bbb.yml
new file mode 100644
index 00000000000..58b4205040c
--- /dev/null
+++ b/detection-rules/brand_impersonation_bbb.yml
@@ -0,0 +1,43 @@
+name: "Brand impersonation: the Better Business Bureau (BBB)"
+description: "Detect impersonation of the Better Business Bureau (BBB)"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // display name contains bbb
+    (
+      regex.icontains(strings.replace_confusables(sender.display_name),
+                      '(?:\bBBB\b|better business bureau)'
+      )
+      // or levenshtein distance similar to the full name
+      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                              'better business bureau'
+      ) <= 1
+    )
+    // and the sender is not in org_domains or from the bbb and passes auth
+    and not (
+      sender.email.domain.root_domain in ("bbb.org")
+      and headers.auth_summary.dmarc.pass
+    )
+  )
+  // and the sender is not from high trust sender root domains
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  
+  // not solicited
+  and not profile.by_sender().solicited
+  
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"

From ea91adda6c0e70d4251865c95de26a1de959ded5 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Mon, 25 Nov 2024 22:20:56 +0000
Subject: [PATCH 2/4] Auto add rule ID

---
 detection-rules/brand_impersonation_bbb.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/brand_impersonation_bbb.yml b/detection-rules/brand_impersonation_bbb.yml
index 58b4205040c..583144c8c9a 100644
--- a/detection-rules/brand_impersonation_bbb.yml
+++ b/detection-rules/brand_impersonation_bbb.yml
@@ -41,3 +41,4 @@ tactics_and_techniques:
   - "Social engineering"
 detection_methods:
   - "Sender analysis"
+id: "76f54e5f-c937-5693-b8e7-3ced7dac61f9"

From 9338dca07d2ba1ff321a6a24f5e6f7a2e7c0ec5b Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 25 Nov 2024 17:21:49 -0500
Subject: [PATCH 3/4] Update brand_impersonation_bbb.yml

---
 detection-rules/brand_impersonation_bbb.yml | 32 ++++++++++-----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/detection-rules/brand_impersonation_bbb.yml b/detection-rules/brand_impersonation_bbb.yml
index 583144c8c9a..effa4d875d4 100644
--- a/detection-rules/brand_impersonation_bbb.yml
+++ b/detection-rules/brand_impersonation_bbb.yml
@@ -1,26 +1,26 @@
 name: "Brand impersonation: the Better Business Bureau (BBB)"
-description: "Detect impersonation of the Better Business Bureau (BBB)"
+description: "Detect impersonation of the Better Business Bureau (BBB) from unsolicited sender"
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and (
-    // display name contains bbb
-    (
-      regex.icontains(strings.replace_confusables(sender.display_name),
-                      '(?:\bBBB\b|better business bureau)'
-      )
-      // or levenshtein distance similar to the full name
-      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
-                              'better business bureau'
-      ) <= 1
-    )
-    // and the sender is not in org_domains or from the bbb and passes auth
-    and not (
-      sender.email.domain.root_domain in ("bbb.org")
-      and headers.auth_summary.dmarc.pass
+  and 
+  // display name contains bbb
+  (
+    regex.icontains(strings.replace_confusables(sender.display_name),
+                    '(?:\bBBB\b|better business bureau)'
     )
+    // or levenshtein distance similar to the full name
+    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                            'better business bureau'
+    ) <= 1
   )
+  // and the sender is not in org_domains or from the bbb and passes auth
+  and not (
+    sender.email.domain.root_domain in ("bbb.org")
+    and headers.auth_summary.dmarc.pass
+  )
+  
   // and the sender is not from high trust sender root domains
   and (
     (

From 9f2426508245fc53de1d2ef58a28f8ec3904eb69 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 24 Dec 2024 09:01:15 -0500
Subject: [PATCH 4/4] Update brand_impersonation_bbb.yml

---
 detection-rules/brand_impersonation_bbb.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/brand_impersonation_bbb.yml b/detection-rules/brand_impersonation_bbb.yml
index effa4d875d4..b93a9f3294b 100644
--- a/detection-rules/brand_impersonation_bbb.yml
+++ b/detection-rules/brand_impersonation_bbb.yml
@@ -17,7 +17,7 @@ source: |
   )
   // and the sender is not in org_domains or from the bbb and passes auth
   and not (
-    sender.email.domain.root_domain in ("bbb.org")
+    sender.email.domain.root_domain in ("bbb.org", "mybbb.org")
     and headers.auth_summary.dmarc.pass
   )