detection.wiki

Detection rules › Sublime MQL

Brand impersonation: PNC

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Impersonation of PNC Financial Services

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Lookalike domain, Social engineering

Event coverage

Message attribute
body
headers (collection)
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  regex.icontains(sender.display_name, '\PNC\b')
  or strings.ilike(sender.email.domain.domain, '*PNC*')
  or strings.ilike(subject.subject, '*PNC*')
)
and sender.email.domain.root_domain not in~ ('pnc.com', 'pncbank.com')
and sender.email.domain.tld != "pnc"
and any(ml.logo_detect(file.message_screenshot()).brands,
        .name == "PNC" and .confidence in ("medium", "high")
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// not forwards/replies
and not (
  (length(headers.references) > 0 or headers.in_reply_to is not null)
  and (subject.is_forward or subject.is_reply)
  and length(body.previous_threads) >= 1
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Impersonation of PNC Financial Services

  1. inbound message
  2. any of:
    • sender.display_name matches '\\PNC\\b'
    • sender.email.domain.domain matches '*PNC*'
    • subject.subject matches '*PNC*'
  3. sender.email.domain.root_domain not in ('pnc.com', 'pncbank.com')
  4. sender.email.domain.tld is not 'pnc'
  5. any of ml.logo_detect(file.message_screenshot()).brands where all hold:
    • .name is 'PNC'
    • .confidence in ('medium', 'high')
  6. any of:
    • profile.by_sender().prevalence in ('new', 'outlier')
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  7. not:
    • all of:
      • any of:
        • length(headers.references) > 0
        • headers.in_reply_to is set
      • any of:
        • subject.is_forward
        • subject.is_reply
      • length(body.previous_threads) ≥ 1
  8. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: body.previous_threads, headers.auth_summary.dmarc.pass, headers.in_reply_to, headers.references, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.domain.tld, subject.is_forward, subject.is_reply, subject.subject, type.inbound. Sensors: file.message_screenshot, ml.logo_detect, profile.by_sender, regex.icontains, strings.ilike. Reference lists: $high_trust_sender_root_domains.

Indicators matched (7)

FieldMatchValue
regex.icontainsregex\PNC\b
strings.ilikesubstring*PNC*
sender.email.domain.root_domainmemberpnc.com
sender.email.domain.root_domainmemberpncbank.com
ml.logo_detect(file.message_screenshot()).brands[].nameequalsPNC
ml.logo_detect(file.message_screenshot()).brands[].confidencemembermedium
ml.logo_detect(file.message_screenshot()).brands[].confidencememberhigh