Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
| Message attribute |
|---|
| headers.auth_summary |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
strings.ilike(sender.display_name, '*venmo*')
or strings.ilevenshtein(sender.display_name, 'venmo') <= 1
)
and sender.email.domain.root_domain not in~ (
'venmo.com',
'synchronybank.com',
'venmocreditsurvey.com',
'venmo-experience.com',
'synchrony.com'
)
// and not if the sender.display.name contains "via" and dmarc pass from venmo.com
and not (
(
headers.auth_summary.dmarc.pass
and headers.auth_summary.dmarc.details.from.root_domain == "venmo.com"
)
and strings.contains(sender.display_name, "via")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// and no false positives and not solicited
and (
not profile.by_sender().any_messages_benign
and not profile.by_sender().solicited
)
Detection logic
Scope: inbound message.
Impersonation of Venmo
- inbound message
any of:
- sender.display_name matches '*venmo*'
- sender.display_name is similar to 'venmo'
- sender.email.domain.root_domain not in ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com', 'venmo-experience.com', 'synchrony.com')
not:
all of:
all of:
- headers.auth_summary.dmarc.pass
- headers.auth_summary.dmarc.details.from.root_domain is 'venmo.com'
- sender.display_name contains 'via'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
all of:
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().solicited
Inspects: headers.auth_summary.dmarc.details.from.root_domain, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.contains, strings.ilevenshtein, strings.ilike. Reference lists: $high_trust_sender_root_domains.
Indicators matched (9)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *venmo* |
strings.ilevenshtein | fuzzy | venmo |
sender.email.domain.root_domain | member | venmo.com |
sender.email.domain.root_domain | member | synchronybank.com |
sender.email.domain.root_domain | member | venmocreditsurvey.com |
sender.email.domain.root_domain | member | venmo-experience.com |
sender.email.domain.root_domain | member | synchrony.com |
headers.auth_summary.dmarc.details.from.root_domain | equals | venmo.com |
strings.contains | substring | via |