Brand impersonation: Robinhood

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Impersonation: Brand, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.html
body.links (collection)
headers (collection)
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name in ("org", "sender") and strings.icontains(.text, 'Robinhood')
    )
    and (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "callback_scam" and .confidence != "low"
      )
    )
  )
  or strings.icontains(body.current_thread.text, 'The Robinhood Team')
  or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood')
  or regex.icontains(body.current_thread.text,
                     '(?:\+?\d{0,2}[\s\-\.]*)?(?:\(?888\)?)[\s\-\.]*344[\s\-\.]*3957'
  )
  or regex.icontains(body.current_thread.text,
                     'brokerage clearing (?:service|company|business)'
  )
  or regex.icontains(body.html.raw, 'new passkey was recently added')
  or 2 of (
    strings.icontains(body.current_thread.text, "Robinhood"),
    regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'),
    strings.icontains(body.current_thread.text, "Menlo Park, CA 97095")
  )
  or (
    strings.icontains(sender.display_name, 'Robinhood')
    and (
      3 of (
        regex.icontains(body.current_thread.text, 'Location:?'),
        regex.icontains(body.current_thread.text, 'Time:'),
        regex.icontains(body.current_thread.text, 'Device:?'),
        regex.icontains(body.current_thread.text, 'IP Address:?'),
        regex.icontains(body.current_thread.text, 'Date:'),
        regex.icontains(body.current_thread.text, 'Region:?'),
        regex.icontains(body.current_thread.text, 'App:?'),
        regex.icontains(body.current_thread.text, 'Email ID:?')
      )
      or strings.icontains(body.current_thread.text, "new passkey added")
      or strings.icontains(body.current_thread.text,
                           "Security support phone number"
      )
    )
  )
  or (
    length(filter(body.links,
                  strings.icontains(.href_url.url,
                                    'https://www.facebook.com/robinhood'
                  )
                  or strings.icontains(.href_url.url,
                                       'https://twitter.com/robinhoodapp'
                  )
                  or strings.icontains(.href_url.url,
                                       'https://www.youtube.com/@RobinhoodApp'
                  )
                  or strings.icontains(.href_url.url,
                                       'https://www.instagram.com/robinhood'
                  )
           )
    ) >= 2
  )
)
// negate legitimate replies and forwards
and (
  (
    (length(headers.references) > 0 or headers.in_reply_to is null)
    and not (subject.is_reply or subject.is_forward)
  )
  or length(headers.references) == 0
)
// negate newsletters and webinars
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in (
              "Newsletters and Digests",
              "Health and Wellness",
              "Events and Webinars"
            )
            and .confidence == "high"
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "benign" and .confidence == "high"
)
and not (
  sender.email.domain.root_domain in (
    "robinhood.com",
    "robinhood.org",
    "duck.com", // unrelated domain
    "robinhoodauctions.com", // unrelated domain
    "bitstamp.net", // robinhood acquisition
    "sinch.com" // unrelated domain
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Detection logic

Scope: inbound message.

inbound message
any of:
- all of:
  - any of ml.nlu_classifier(body.current_thread.text).entities where all hold:
    
    .name in ('org', 'sender')
    .text contains 'Robinhood'
  - any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    
    .name is 'callback_scam'
    .confidence is not 'low'
- body.current_thread.text contains 'The Robinhood Team'
- body.current_thread.text matches '©\\s*20[0-9]{2}\\s*\\s*Robinhood'
- body.current_thread.text matches '(?:\\+?\\d{0,2}[\\s\\-\\.]*)?(?:\\(?888\\)?)[\\s\\-\\.]*344[\\s\\-\\.]*3957'
- body.current_thread.text matches 'brokerage clearing (?:service|company|business)'
- body.html.raw matches 'new passkey was recently added'
- at least 2 of:
  - body.current_thread.text contains 'Robinhood'
  - body.current_thread.text matches '42 Willow (?:Road|St)'
  - body.current_thread.text contains 'Menlo Park, CA 97095'
- all of:
  - sender.display_name contains 'Robinhood'
  - any of:
    
    at least 3 of 8: body.current_thread.text matches any of 8 patterns
    
    Location:?
    Time:
    Device:?
    IP Address:?
    Date:
    Region:?
    App:?
    Email ID:?
    body.current_thread.text contains 'new passkey added'
    body.current_thread.text contains 'Security support phone number'
- length(filter(body.links, strings.icontains(.href_url.url, 'https://www.facebook.com/robinhood') or strings.icontains(.href_url.url, 'https://twitter.com/robinhoodapp') or strings.icontains(.href_url.url, 'https://www.youtube.com/@RobinhoodApp') or strings.icontains(.href_url.url, 'https://www.instagram.com/robinhood'))) ≥ 2
any of:
- all of:
  - any of:
    
    length(headers.references) > 0
    headers.in_reply_to is missing
  - none of:
    
    subject.is_reply
    subject.is_forward
- length(headers.references) is 0
not:
- any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
  - .name in ('Newsletters and Digests', 'Health and Wellness', 'Events and Webinars')
  - .confidence is 'high'
not:
- any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
  - .name is 'benign'
  - .confidence is 'high'
not:
- all of:
  - sender.email.domain.root_domain in ('robinhood.com', 'robinhood.org', 'duck.com', 'robinhoodauctions.com', 'bitstamp.net', 'sinch.com')
  - coalesce(headers.auth_summary.dmarc.pass)

Inspects: body.current_thread.text, body.html.raw, body.links, body.links[].href_url.url, headers.auth_summary.dmarc.pass, headers.in_reply_to, headers.references, sender.display_name, sender.email.domain.root_domain, subject.is_forward, subject.is_reply, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.icontains.

Indicators matched (37)

Field	Match	Value
`ml.nlu_classifier(body.current_thread.text).entities[].name`	member	`org`
`ml.nlu_classifier(body.current_thread.text).entities[].name`	member	`sender`
`strings.icontains`	substring	`Robinhood`
`ml.nlu_classifier(body.current_thread.text).intents[].name`	equals	`callback_scam`
`strings.icontains`	substring	`The Robinhood Team`
`regex.icontains`	regex	`©\s20[0-9]{2}\s\s*Robinhood`
`regex.icontains`	regex	`(?:\+?\d{0,2}[\s\-\.])?(?:\(?888\)?)[\s\-\.]344[\s\-\.]*3957`
`regex.icontains`	regex	`brokerage clearing (?:service\|company\|business)`
`regex.icontains`	regex	`new passkey was recently added`
`regex.icontains`	regex	`42 Willow (?:Road\|St)`
`strings.icontains`	substring	`Menlo Park, CA 97095`
`regex.icontains`	regex	`Location:?`

25 more

`regex.icontains`	regex	`Time:`
`regex.icontains`	regex	`Device:?`
`regex.icontains`	regex	`IP Address:?`
`regex.icontains`	regex	`Date:`
`regex.icontains`	regex	`Region:?`
`regex.icontains`	regex	`App:?`
`regex.icontains`	regex	`Email ID:?`
`strings.icontains`	substring	`new passkey added`
`strings.icontains`	substring	`Security support phone number`
`strings.icontains`	substring	`https://www.facebook.com/robinhood`
`strings.icontains`	substring	`https://twitter.com/robinhoodapp`
`strings.icontains`	substring	`https://www.youtube.com/@RobinhoodApp`
`strings.icontains`	substring	`https://www.instagram.com/robinhood`
`ml.nlu_classifier(body.current_thread.text).topics[].name`	member	`Newsletters and Digests`
`ml.nlu_classifier(body.current_thread.text).topics[].name`	member	`Health and Wellness`
`ml.nlu_classifier(body.current_thread.text).topics[].name`	member	`Events and Webinars`
`ml.nlu_classifier(body.current_thread.text).topics[].confidence`	equals	`high`
`ml.nlu_classifier(body.current_thread.text).intents[].name`	equals	`benign`
`ml.nlu_classifier(body.current_thread.text).intents[].confidence`	equals	`high`
`sender.email.domain.root_domain`	member	`robinhood.com`
`sender.email.domain.root_domain`	member	`robinhood.org`
`sender.email.domain.root_domain`	member	`duck.com`
`sender.email.domain.root_domain`	member	`robinhoodauctions.com`
`sender.email.domain.root_domain`	member	`bitstamp.net`
`sender.email.domain.root_domain`	member	`sinch.com`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)