detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Twitter

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Impersonation of Twitter.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Lookalike domain, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers (collection)
sender
sender.email
type

Rule body MQL

type.inbound
and (
  // Twitter logic
  (
    sender.display_name =~ "twitter"
    or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
    or strings.ilike(sender.email.domain.domain, '*twitter*')
  )
  // "X" logic
  or (
    (
      3 of (
        strings.iends_with(sender.email.domain.root_domain, "-x.com"),
        strings.icontains(sender.email.local_part, "x-corp"),
        any(body.links,
            strings.iends_with(.href_url.domain.root_domain, "-x.com")
            or strings.istarts_with(.href_url.domain.subdomain, "x-corp")
        ),
        strings.ilike(body.current_thread.text,
                      "*content dispute*",
                      "*copyright*",
                      "*appeal*"
        ),
        strings.contains(body.current_thread.text, '1355 Market Street'),
        strings.contains(body.current_thread.text, 'San Francisco, CA 94103'),
        strings.contains(body.current_thread.text, 'X Corp'),
        strings.ilike(body.current_thread.text, '*865 FM 1209*bastrop*')
      )
      or (
        length(ml.logo_detect(file.message_screenshot()).brands) == 1
        and any(ml.logo_detect(file.message_screenshot()).brands,
                .name == "X" and .confidence == "high"
        )
        and (
          any(ml.nlu_classifier(body.current_thread.text).intents,
              .name == "cred_theft" and .confidence == "high"
          )
          or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
                 .name == "cred_theft" and .confidence == "high"
          )
        )
      )
    )
    and any(beta.ml_topic(body.current_thread.text).topics,
            .name in (
              "Reminders and Notifications",
              "Security and Authentication",
              "Legal and Compliance",
              "Customer Service and Support"
            )
    )
  )
)
and sender.email.domain.domain not in~ (
  'twitter.com',
  'privaterelay.appleid.com',
  'stripe.com',
  'x.com',
  'twitter.discoursemail.com',
  'slack.com'
)
// negate Hearsay Systems which sends notifications from sender domain ending in twitter.com
and not (
  strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
  and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
)
and sender.email.email not in $recipient_emails

Detection logic

Scope: inbound message.

Impersonation of Twitter.

  1. inbound message
  2. any of:
    • any of:
      • sender.display_name is 'twitter'
      • sender.display_name is similar to 'twitter'
      • sender.email.domain.domain matches '*twitter*'
    • all of:
      • any of:
        • at least 3 of:
          • sender.email.domain.root_domain ends with '-x.com'
          • sender.email.local_part contains 'x-corp'
          • any of body.links where any holds:
            • .href_url.domain.root_domain ends with '-x.com'
            • .href_url.domain.subdomain starts with 'x-corp'
          • body.current_thread.text matches any of 3 patterns
            • *content dispute*
            • *copyright*
            • *appeal*
          • body.current_thread.text contains '1355 Market Street'
          • body.current_thread.text contains 'San Francisco, CA 94103'
          • body.current_thread.text contains 'X Corp'
          • body.current_thread.text matches '*865 FM 1209*bastrop*'
        • all of:
          • length(ml.logo_detect(file.message_screenshot()).brands) is 1
          • any of ml.logo_detect(file.message_screenshot()).brands where all hold:
            • .name is 'X'
            • .confidence is 'high'
          • any of:
            • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
              • .name is 'cred_theft'
              • .confidence is 'high'
            • any of ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents where all hold:
              • .name is 'cred_theft'
              • .confidence is 'high'
      • any of beta.ml_topic(body.current_thread.text).topics where:
        • .name in ('Reminders and Notifications', 'Security and Authentication', 'Legal and Compliance', 'Customer Service and Support')
  3. sender.email.domain.domain not in ('twitter.com', 'privaterelay.appleid.com', 'stripe.com', 'x.com', 'twitter.discoursemail.com', 'slack.com')
  4. not:
    • all of:
      • sender.email.domain.domain ends with '.hearsay.twitter.com'
      • headers.message_id ends with '@hearsaysystems.com>'
  5. sender.email.email not in $recipient_emails

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.subdomain, headers.message_id, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.email, sender.email.local_part, type.inbound. Sensors: beta.ml_topic, beta.ocr, file.message_screenshot, ml.logo_detect, ml.nlu_classifier, strings.contains, strings.ends_with, strings.icontains, strings.iends_with, strings.ilevenshtein, strings.ilike, strings.istarts_with. Reference lists: $recipient_emails.

Indicators matched (31)

FieldMatchValue
sender.display_nameequalstwitter
strings.ilevenshteinfuzzytwitter
strings.ilikesubstring*twitter*
strings.iends_withsuffix-x.com
strings.icontainssubstringx-corp
strings.istarts_withprefixx-corp
strings.ilikesubstring*content dispute*
strings.ilikesubstring*copyright*
strings.ilikesubstring*appeal*
strings.containssubstring1355 Market Street
strings.containssubstringSan Francisco, CA 94103
strings.containssubstringX Corp
19 more
strings.ilikesubstring*865 FM 1209*bastrop*
ml.logo_detect(file.message_screenshot()).brands[].nameequalsX
ml.logo_detect(file.message_screenshot()).brands[].confidenceequalshigh
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents[].nameequalscred_theft
ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents[].confidenceequalshigh
beta.ml_topic(body.current_thread.text).topics[].namememberReminders and Notifications
beta.ml_topic(body.current_thread.text).topics[].namememberSecurity and Authentication
beta.ml_topic(body.current_thread.text).topics[].namememberLegal and Compliance
beta.ml_topic(body.current_thread.text).topics[].namememberCustomer Service and Support
sender.email.domain.domainmembertwitter.com
sender.email.domain.domainmemberprivaterelay.appleid.com
sender.email.domain.domainmemberstripe.com
sender.email.domain.domainmemberx.com
sender.email.domain.domainmembertwitter.discoursemail.com
sender.email.domain.domainmemberslack.com
strings.ends_withsuffix.hearsay.twitter.com
strings.ends_withsuffix@hearsaysystems.com>