Create brand_impersonation_siriusxm.yml (#2025)

Co-authored-by: ID Generator <[email protected]> Co-authored-by: Brandon Murphy <[email protected]>
sublime-security · Oct 25, 2024 · 5f5a77f · 5f5a77f
1 parent b84c090
commit 5f5a77f
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/detection-rules/brand_impersonation_siriusxm.yml b/detection-rules/brand_impersonation_siriusxm.yml
@@ -0,0 +1,32 @@
+name: "Brand Impersonation: SiriusXM"
+description: "Impersonation of the broadcasting corporation SiriusXM."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    strings.ilike(sender.display_name, '*siriusxm*')
+    or strings.ilevenshtein(sender.display_name, 'siriusxm') <= 1
+    or strings.ilike(sender.email.domain.domain, '*siriusxm*')
+  )
+  and (
+    sender.email.domain.root_domain not in ('siriusxm.com', 'siriusxmmedia.com', 'siriusxm.ca')
+    or (
+      sender.email.domain.root_domain in ('siriusxm.com', 'siriusxmmedia.com', 'siriusxm.ca')
+      and not headers.auth_summary.dmarc.pass
+    )
+  )
+  and not profile.by_sender().solicited
+attack_types:
+  - "Callback Phishing"
+  - "Credential Phishing"
+  - "Spam"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "70eb3792-cd7a-5369-b1c3-65a3b772de00"