Detection rules › Sublime MQL
Brand impersonation: Barracuda Networks
Impersonation of Barracuda Networks, an IT security company.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
| Message attribute |
|---|
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
strings.ilike(sender.display_name, '*barracuda*')
or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
or strings.ilike(sender.email.domain.domain, '*barracuda*')
)
and sender.email.domain.root_domain not in (
'barracuda.com',
'barracudamsp.com',
'barracudanetworks.com',
'netsuite.com',
// hockey team
'sharkssports.net',
'sjbarracuda.com',
// Barracuda Barcatering
'barracuda-barcatering.de',
// Barracuda Events Team
'worldspan.co.uk',
// Barracudas Day Camps
'barracudas.co.uk',
// BarracudaShoes
'barracudashoes.it'
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Impersonation of Barracuda Networks, an IT security company.
- inbound message
any of:
- sender.display_name matches '*barracuda*'
- sender.display_name is similar to 'barracuda'
- sender.email.domain.domain matches '*barracuda*'
- sender.email.domain.root_domain not in ('barracuda.com', 'barracudamsp.com', 'barracudanetworks.com', 'netsuite.com', 'sharkssports.net', 'sjbarracuda.com', 'barracuda-barcatering.de', 'worldspan.co.uk', 'barracudas.co.uk', 'barracudashoes.it')
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.ilevenshtein, strings.ilike.
Indicators matched (12)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *barracuda* |
strings.ilevenshtein | fuzzy | barracuda |
sender.email.domain.root_domain | member | barracuda.com |
sender.email.domain.root_domain | member | barracudamsp.com |
sender.email.domain.root_domain | member | barracudanetworks.com |
sender.email.domain.root_domain | member | netsuite.com |
sender.email.domain.root_domain | member | sharkssports.net |
sender.email.domain.root_domain | member | sjbarracuda.com |
sender.email.domain.root_domain | member | barracuda-barcatering.de |
sender.email.domain.root_domain | member | worldspan.co.uk |
sender.email.domain.root_domain | member | barracudas.co.uk |
sender.email.domain.root_domain | member | barracudashoes.it |