Skip to content

Commit dce22d4

Browse files
[Shared Samples] [PR #4685] added rule: PR# 4685 - Brand impersonation: Bids & Tenders
1 parent 6391531 commit dce22d4

1 file changed

Lines changed: 34 additions & 0 deletions

File tree

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
name: "PR# 4685 - Brand impersonation: Bids & Tenders"
2+
description: "Detects messages sent to self that contain links impersonating the Bids & Tenders platform. The rule identifies suspicious links from non-legitimate domains that load Bids & Tenders logo assets, suggesting the sender is spoofing the platform to appear legitimate."
3+
type: "rule"
4+
severity: "high"
5+
source: |
6+
type.inbound
7+
// self sender
8+
and (
9+
length(recipients.to) == 1
10+
and recipients.to[0].email.email == sender.email.email
11+
)
12+
and any(body.current_thread.links,
13+
.href_url.domain.root_domain != 'bidsandtenders.ca'
14+
and any(ml.link_analysis(.).unique_urls_accessed,
15+
.url == 'https://bids.bidsandtenders.ca/Resources/content/StandardTemplate/resources/Logo/BT_NewLogo_NameandSymol-colored.png'
16+
)
17+
)
18+
attack_types:
19+
- "Credential Phishing"
20+
tactics_and_techniques:
21+
- "Impersonation: Brand"
22+
- "Spoofing"
23+
- "Social engineering"
24+
detection_methods:
25+
- "Sender analysis"
26+
- "URL analysis"
27+
- "Content analysis"
28+
id: "e9caeb66-933e-5052-803a-6aa880e78f38"
29+
tags:
30+
- created_from_open_prs
31+
- rule_status_added
32+
- pr_author_D-Bolton
33+
references:
34+
- https://github.com/sublime-security/sublime-rules/pull/4685

0 commit comments

Comments
 (0)