detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Trust Wallet

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects inbound messages containing links where the sender impersonates Trust Wallet through display name manipulation and suspicious language, while not being from legitimate Trust Wallet domains. The rule checks for credential theft patterns and validates sender authentication.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Credential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
body
body.current_thread
headers.auth_summary
sender
sender.email
type

Rule body MQL

type.inbound
and length(body.links) > 0
and (
  regex.icontains(strings.replace_confusables(sender.display_name),
                  '\btrust wa[li1]{2}et\b'
  )
  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                          'trust wallet'
  ) <= 2
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name in ("cred_theft", "callback_scam", "steal_pii", "extortion")
      and .confidence in ("high")
  )
)
and sender.email.domain.root_domain not in~ ('trustwallet.com')

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Detects inbound messages containing links where the sender impersonates Trust Wallet through display name manipulation and suspicious language, while not being from legitimate Trust Wallet domains. The rule checks for credential theft patterns and validates sender authentication.

  1. inbound message
  2. length(body.links) > 0
  3. any of:
    • strings.replace_confusables(sender.display_name) matches '\\btrust wa[li1]{2}et\\b'
    • strings.replace_confusables(sender.display_name) is similar to 'trust wallet'
  4. any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    • .name in ('cred_theft', 'callback_scam', 'steal_pii', 'extortion')
    • .confidence in ('high')
  5. sender.email.domain.root_domain not in ('trustwallet.com')
  6. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: body.current_thread.text, body.links, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.ilevenshtein, strings.replace_confusables. Reference lists: $high_trust_sender_root_domains.

Indicators matched (8)

FieldMatchValue
regex.icontainsregex\btrust wa[li1]{2}et\b
strings.ilevenshteinfuzzytrust wallet
ml.nlu_classifier(body.current_thread.text).intents[].namemembercred_theft
ml.nlu_classifier(body.current_thread.text).intents[].namemembercallback_scam
ml.nlu_classifier(body.current_thread.text).intents[].namemembersteal_pii
ml.nlu_classifier(body.current_thread.text).intents[].namememberextortion
ml.nlu_classifier(body.current_thread.text).intents[].confidencememberhigh
sender.email.domain.root_domainmembertrustwallet.com