Create brand_impersonation_disney.yml

detection-rules/brand_impersonation_disney.yml

@@ -0,0 +1,119 @@
+name: "Brand Impersonation: Disney"
+description: "Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // display name contains Disney
+    (
+      strings.ilike(strings.replace_confusables(sender.display_name), '*disney*')
+      // levenshtein distance similar to Disney
+      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                              'disney'
+      ) <= 1
+      or any(ml.logo_detect(beta.message_screenshot()).brands,
+             .name == "Disney" and .confidence == "high"
+      )
+    )
+  )
+  and (
+    any(beta.ml_topic(body.current_thread.text).topics,
+        .name in (
+          "Security and Authentication",
+          "Secure Message",
+          "Reminders and Notifications"
+        )
+        and .confidence in ("medium", "high")
+    )
+    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
+           .name in (
+             "Security and Authentication",
+             "Secure Message",
+             "Reminders and Notifications"
+           )
+           and .confidence in ("medium", "high")
+           and beta.ocr(beta.message_screenshot()).text != ""
+    )
+    or any(ml.nlu_classifier(body.current_thread.text).intents,
+           .name == "cred_theft" and .confidence == "high"
+    )
+    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
+           .name == "cred_theft" and .confidence == "high"
+    )
+  )
+
+  // and the sender is not in org_domains or from tiktok domains and passes auth
+  and not (
+    sender.email.domain.root_domain in $org_domains
+    or (
+      // from https://github.com/v2fly/domain-list-community/blob/master/data/disney
+      sender.email.domain.root_domain in (
+        "disney.asia",
+        "disney.be",
+        "disney.bg",
+        "disney.ca",
+        "disney.ch",
+        "disney.co.il",
+        "disney.co.jp",
+        "disney.co.kr",
+        "disney.co.th",
+        "disney.co.uk",
+        "disney.co.za",
+        "disney.com",
+        "disney.com.au",
+        "disney.com.br",
+        "disney.com.hk",
+        "disney.com.tw",
+        "disney.cz",
+        "disney.de",
+        "disney.dk",
+        "disney.es",
+        "disney.fi",
+        "disney.fr",
+        "disney.gr",
+        "disney.hu",
+        "disney.id",
+        "disney.in",
+        "disney.io",
+        "disney.it",
+        "disney.my",
+        "disney.nl",
+        "disney.no",
+        "disney.ph",
+        "disney.pl",
+        "disney.pt",
+        "disney.ro",
+        "disney.ru",
+        "disney.se",
+        "disney.sg"
+      )
+      and headers.auth_summary.dmarc.pass
+    )
+  )
+  // and the sender is not from high trust sender root domains
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and (
+    not profile.by_sender().solicited
+    or not headers.auth_summary.dmarc.pass
+    or not headers.auth_summary.spf.pass
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Natural Language Understanding"
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "bf90b8fb-3f6e-5831-9b3c-1d05b2a4a863"