Detection rules › Sublime MQL
Brand impersonation: Chase Bank
Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| headers.auth_summary |
| sender |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and (
strings.ilike(sender.display_name,
'*chase sapphire*',
'*chase card services*',
'*united mileageplus*',
"echase*"
)
or strings.ilevenshtein(sender.display_name, 'chase sapphire') <= 2
or strings.ilevenshtein(sender.display_name, 'chase card services') <= 2
or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
or (
(
strings.ilevenshtein(sender.display_name, 'echase') <= 1
or (
strings.icontains(sender.display_name, "bank")
and strings.icontains(subject.base, "chase bank")
)
)
// Negate Chase sender display name if cred theft, callback phishing, and a Chase logo isn't detected
and not (
strings.icontains(sender.display_name, 'chase')
and not (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Chase")
)
)
)
)
or regex.icontains(body.current_thread.text,
'(Chase|J\.?\s?P\.?\sMorgan)\s(Privacy|Treasury)\sOperations|(Privacy|Treasury)\sOperations\s(Chase|J\.?\s?P\.?\sMorgan)'
)
)
and not (
sender.display_name is not null and sender.display_name in~ ("chaser", "case")
)
and sender.email.domain.root_domain not in~ (
'chase.com',
'united.com',
'transunion.com',
'shopping-chase.com',
'chasetravel.com',
'chaseoffers.com'
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.
- inbound message
any of:
sender.display_name matches any of 4 patterns
*chase sapphire**chase card services**united mileageplus*echase*
- sender.display_name is similar to 'chase sapphire'
- sender.display_name is similar to 'chase card services'
- sender.display_name is similar to 'united mileageplus'
all of:
any of:
- sender.display_name is similar to 'echase'
all of:
- sender.display_name contains 'bank'
- subject.base contains 'chase bank'
not:
all of:
- sender.display_name contains 'chase'
none of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence in ('medium', 'high')
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'callback_scam'
- .confidence in ('medium', 'high')
any of
ml.logo_detect(file.message_screenshot()).brandswhere:- .name starts with 'Chase'
- body.current_thread.text matches '(Chase|J\\.?\\s?P\\.?\\sMorgan)\\s(Privacy|Treasury)\\sOperations|(Privacy|Treasury)\\sOperations\\s(Chase|J\\.?\\s?P\\.?\\sMorgan)'
not:
all of:
- sender.display_name is set
- sender.display_name in ('chaser', 'case')
- sender.email.domain.root_domain not in ('chase.com', 'united.com', 'transunion.com', 'shopping-chase.com', 'chasetravel.com', 'chaseoffers.com')
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: file.message_screenshot, ml.logo_detect, ml.nlu_classifier, regex.icontains, strings.icontains, strings.ilevenshtein, strings.ilike, strings.starts_with. Reference lists: $high_trust_sender_root_domains.
Indicators matched (25)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *chase sapphire* |
strings.ilike | substring | *chase card services* |
strings.ilike | substring | *united mileageplus* |
strings.ilike | substring | echase* |
strings.ilevenshtein | fuzzy | chase sapphire |
strings.ilevenshtein | fuzzy | chase card services |
strings.ilevenshtein | fuzzy | united mileageplus |
strings.ilevenshtein | fuzzy | echase |
strings.icontains | substring | bank |
strings.icontains | substring | chase bank |
strings.icontains | substring | chase |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
13 more
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | medium |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | high |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | callback_scam |
strings.starts_with | prefix | Chase |
regex.icontains | regex | (Chase|J\.?\s?P\.?\sMorgan)\s(Privacy|Treasury)\sOperations|(Privacy|Treasury)\sOperations\s(Chase|J\.?\s?P\.?\sMorgan) |
sender.display_name | member | chaser |
sender.display_name | member | case |
sender.email.domain.root_domain | member | chase.com |
sender.email.domain.root_domain | member | united.com |
sender.email.domain.root_domain | member | transunion.com |
sender.email.domain.root_domain | member | shopping-chase.com |
sender.email.domain.root_domain | member | chasetravel.com |
sender.email.domain.root_domain | member | chaseoffers.com |