Detection rules › Sublime MQL
Brand impersonation: Ledger
Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
| Message attribute |
|---|
| headers.auth_summary |
| headers.return_path |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
(
sender.email.domain.root_domain == 'ledger.com'
and headers.return_path.domain.root_domain not in (
'ledger.com',
'amazonses.com',
'ledger.fr',
'hubspotemail.net'
)
)
or (
(
// only match ledger actual domains if dmarc fails
not (
sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
and headers.auth_summary.dmarc.pass
)
or not sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
)
and (
strings.ilike(sender.email.email, '*-ledger.com*')
or sender.display_name =~ "ledger"
or strings.istarts_with(sender.display_name, "ledger")
or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
)
and (
// if this comes from a free email provider,
// flag if org has never sent an email to sender's email before
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
// if this comes from a custom domain,
// flag if org has never sent an email to sender's domain before
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
)
)
and sender.email.domain.root_domain not in (
// Fortune has a newsletter called "The Ledger"
'fortune.com',
'velocityledger.com',
'lever.co',
'queensledger.com',
'libertyledger.com',
'uledger.io',
'ledgers.org.uk',
'leger.co.uk',
'xledger.net'
)
Detection logic
Scope: inbound message.
Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
- inbound message
any of:
all of:
- sender.email.domain.root_domain is 'ledger.com'
- headers.return_path.domain.root_domain not in ('ledger.com', 'amazonses.com', 'ledger.fr', 'hubspotemail.net')
all of:
any of:
not:
all of:
- sender.email.domain.root_domain in ('ledger.com', 'ledger.fr')
- headers.auth_summary.dmarc.pass
not:
- sender.email.domain.root_domain in ('ledger.com', 'ledger.fr')
any of:
- sender.email.email matches '*-ledger.com*'
- sender.display_name is 'ledger'
- sender.display_name starts with 'ledger'
- sender.email.domain.sld is similar to 'ledger'
any of:
all of:
- sender.email.domain.root_domain in $free_email_providers
- sender.email.email not in $recipient_emails
all of:
- sender.email.domain.root_domain not in $free_email_providers
- sender.email.domain.domain not in $recipient_domains
- sender.email.domain.root_domain not in ('fortune.com', 'velocityledger.com', 'lever.co', 'queensledger.com', 'libertyledger.com', 'uledger.io', 'ledgers.org.uk', 'leger.co.uk', 'xledger.net')
Inspects: headers.auth_summary.dmarc.pass, headers.return_path.domain.root_domain, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.domain.sld, sender.email.email, type.inbound. Sensors: strings.ilevenshtein, strings.ilike, strings.istarts_with. Reference lists: $free_email_providers, $recipient_domains, $recipient_emails.
Indicators matched (20)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | equals | ledger.com |
headers.return_path.domain.root_domain | member | ledger.com |
headers.return_path.domain.root_domain | member | amazonses.com |
headers.return_path.domain.root_domain | member | ledger.fr |
headers.return_path.domain.root_domain | member | hubspotemail.net |
sender.email.domain.root_domain | member | ledger.com |
sender.email.domain.root_domain | member | ledger.fr |
strings.ilike | substring | *-ledger.com* |
sender.display_name | equals | ledger |
strings.istarts_with | prefix | ledger |
strings.ilevenshtein | fuzzy | ledger |
sender.email.domain.root_domain | member | fortune.com |
8 more
sender.email.domain.root_domain | member | velocityledger.com |
sender.email.domain.root_domain | member | lever.co |
sender.email.domain.root_domain | member | queensledger.com |
sender.email.domain.root_domain | member | libertyledger.com |
sender.email.domain.root_domain | member | uledger.io |
sender.email.domain.root_domain | member | ledgers.org.uk |
sender.email.domain.root_domain | member | leger.co.uk |
sender.email.domain.root_domain | member | xledger.net |