From 85b66a14415a44d94beb866e34ca8cfa17da5821 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Mon, 6 Apr 2026 19:29:39 -0400 Subject: [PATCH 1/7] Update brand_impersonation_robinhood.yml --- .../brand_impersonation_robinhood.yml | 119 +++++++++--------- 1 file changed, 61 insertions(+), 58 deletions(-) diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml index 2b7970e2c60..8413a632bbb 100644 --- a/detection-rules/brand_impersonation_robinhood.yml +++ b/detection-rules/brand_impersonation_robinhood.yml @@ -11,74 +11,77 @@ source: | ) and ( any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "callback_scam" and .confidence != "low" + .name in ("callback_scam", "cred_theft") + and .confidence in ("low", "high") ) ) - ) - or strings.icontains(body.current_thread.text, 'The Robinhood Team') - or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood') - or 2 of ( - strings.icontains(body.current_thread.text, "Robinhood"), - regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), - strings.icontains(body.current_thread.text, "Menlo Park, CA 97095") - ) - or ( - strings.icontains(sender.display_name, 'Robinhood') - and ( - 3 of ( - regex.icontains(body.current_thread.text, 'Location:?'), - regex.icontains(body.current_thread.text, 'Time:'), - regex.icontains(body.current_thread.text, 'Device:?'), - regex.icontains(body.current_thread.text, 'IP Address:?') + or strings.icontains(body.current_thread.text, 'The Robinhood Team') + or regex.icontains(body.current_thread.text, + '©\s*20[0-9]{2}\s*\s*Robinhood' + ) + or 2 of ( + strings.icontains(body.current_thread.text, "Robinhood"), + regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), + strings.icontains(body.current_thread.text, "Menlo Park, CA 97095") + ) + or ( + strings.icontains(sender.display_name, 'Robinhood') + and not ( + 3 of ( + regex.icontains(body.current_thread.text, 'Location:?'), + regex.icontains(body.current_thread.text, 'Time:'), + regex.icontains(body.current_thread.text, 'Device:?'), + regex.icontains(body.current_thread.text, 'IP Address:?') + ) + or strings.icontains(body.current_thread.text, "new passkey added") ) - or strings.icontains(body.current_thread.text, "new passkey added") + ) + or ( + length(filter(body.links, + strings.icontains(.href_url.url, + 'https://www.facebook.com/robinhood' + ) + or strings.icontains(.href_url.url, + 'https://twitter.com/robinhoodapp' + ) + or strings.icontains(.href_url.url, + 'https://www.youtube.com/@RobinhoodApp' + ) + or strings.icontains(.href_url.url, + 'https://www.instagram.com/robinhood' + ) + ) + ) >= 2 ) ) - or ( - length(filter(body.links, - strings.icontains(.href_url.url, - 'https://www.facebook.com/robinhood' - ) - or strings.icontains(.href_url.url, - 'https://twitter.com/robinhoodapp' - ) - or strings.icontains(.href_url.url, - 'https://www.youtube.com/@RobinhoodApp' - ) - or strings.icontains(.href_url.url, - 'https://www.instagram.com/robinhood' - ) - ) - ) >= 2 - ) - ) - // negate legitimate replies and forwards - and ( - ( + // negate legitimate replies and forwards + and ( ( - length(headers.references) > 0 - or not any(headers.hops, - any(.fields, strings.ilike(.name, "In-Reply-To")) + ( + length(headers.references) > 0 + or not any(headers.hops, + any(.fields, strings.ilike(.name, "In-Reply-To")) + ) ) + and not (subject.is_reply or subject.is_forward) ) - and not (subject.is_reply or subject.is_forward) + or length(headers.references) == 0 ) - or length(headers.references) == 0 - ) - // negate newsletters and webinars - and not any(ml.nlu_classifier(body.current_thread.text).topics, - .name in ("Newsletters and Digests", "Events and Webinars") - and .confidence == "high" - ) - and not ( - sender.email.domain.root_domain in ( - "robinhood.com", - "robinhood.org", - "duck.com", // unrelated domain - "robinhoodauctions.com", // unrelated domain - "bitstamp.net" // robinhood acquisition + // negate newsletters and webinars + and not any(ml.nlu_classifier(body.current_thread.text).topics, + .name in ("Newsletters and Digests", "Events and Webinars") + and .confidence == "high" + ) + and not ( + sender.email.domain.root_domain in ( + "robinhood.com", + "robinhood.org", + "duck.com", // unrelated domain + "robinhoodauctions.com", // unrelated domain + "bitstamp.net" // robinhood acquisition + ) + and coalesce(headers.auth_summary.dmarc.pass, false) ) - and coalesce(headers.auth_summary.dmarc.pass, false) ) attack_types: From e21564444b149aeb12c574c68d4d5c1cd42c1b0d Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Thu, 9 Apr 2026 21:39:42 -0400 Subject: [PATCH 2/7] Revisions to brand impersonation detection rule --- .../brand_impersonation_robinhood.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml index 8413a632bbb..1e2ab9d34e2 100644 --- a/detection-rules/brand_impersonation_robinhood.yml +++ b/detection-rules/brand_impersonation_robinhood.yml @@ -67,11 +67,20 @@ source: | ) or length(headers.references) == 0 ) + and ( + ( + profile.by_sender().prevalence != "common" + and not profile.by_sender().solicited + ) + ) // negate newsletters and webinars and not any(ml.nlu_classifier(body.current_thread.text).topics, .name in ("Newsletters and Digests", "Events and Webinars") and .confidence == "high" ) + and not any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" + ) and not ( sender.email.domain.root_domain in ( "robinhood.com", @@ -83,6 +92,14 @@ source: | and coalesce(headers.auth_summary.dmarc.pass, false) ) ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) attack_types: - "Credential Phishing" From ee3ea2c55ebd0a856aeedca5df1b6a1b5f361102 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Mon, 13 Apr 2026 21:57:50 -0400 Subject: [PATCH 3/7] Update brand_impersonation_robinhood.yml correcting logic - new hunt https://platform.sublime.security/messages/hunt?huntId=019d88f2-86b5-7d5f-9ad4-15aa1b78f2e3 --- detection-rules/brand_impersonation_robinhood.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml index 1e2ab9d34e2..23f4bbc965c 100644 --- a/detection-rules/brand_impersonation_robinhood.yml +++ b/detection-rules/brand_impersonation_robinhood.yml @@ -12,7 +12,7 @@ source: | and ( any(ml.nlu_classifier(body.current_thread.text).intents, .name in ("callback_scam", "cred_theft") - and .confidence in ("low", "high") + and .confidence != "low" ) ) or strings.icontains(body.current_thread.text, 'The Robinhood Team') @@ -67,12 +67,6 @@ source: | ) or length(headers.references) == 0 ) - and ( - ( - profile.by_sender().prevalence != "common" - and not profile.by_sender().solicited - ) - ) // negate newsletters and webinars and not any(ml.nlu_classifier(body.current_thread.text).topics, .name in ("Newsletters and Digests", "Events and Webinars") From e09e857520fddb790a42d273ded430eb30250687 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Tue, 14 Apr 2026 01:58:54 +0000 Subject: [PATCH 4/7] Auto-format MQL and add rule IDs --- detection-rules/brand_impersonation_robinhood.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml index 23f4bbc965c..4f01d885788 100644 --- a/detection-rules/brand_impersonation_robinhood.yml +++ b/detection-rules/brand_impersonation_robinhood.yml @@ -11,8 +11,7 @@ source: | ) and ( any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("callback_scam", "cred_theft") - and .confidence != "low" + .name in ("callback_scam", "cred_theft") and .confidence != "low" ) ) or strings.icontains(body.current_thread.text, 'The Robinhood Team') @@ -94,7 +93,6 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - attack_types: - "Credential Phishing" tactics_and_techniques: From 017cf4b5832cbcfbee429545c268ab1348f8fe95 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Mon, 13 Apr 2026 22:26:32 -0400 Subject: [PATCH 5/7] Revise brand impersonation detection rules for Robinhood Revise based on hunt - https://platform.sublime.security/messages/hunt?huntId=019d89c9-ed1c-7921-9002-297497fe134c --- .../brand_impersonation_robinhood.yml | 150 +++++++++--------- 1 file changed, 77 insertions(+), 73 deletions(-) diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml index 4f01d885788..0a5d1565c05 100644 --- a/detection-rules/brand_impersonation_robinhood.yml +++ b/detection-rules/brand_impersonation_robinhood.yml @@ -5,94 +5,98 @@ severity: "medium" source: | type.inbound and ( - ( - any(ml.nlu_classifier(body.current_thread.text).entities, - .name in ("org", "sender") and strings.icontains(.text, 'Robinhood') - ) - and ( - any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("callback_scam", "cred_theft") and .confidence != "low" - ) - ) - or strings.icontains(body.current_thread.text, 'The Robinhood Team') - or regex.icontains(body.current_thread.text, - '©\s*20[0-9]{2}\s*\s*Robinhood' - ) - or 2 of ( - strings.icontains(body.current_thread.text, "Robinhood"), - regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), - strings.icontains(body.current_thread.text, "Menlo Park, CA 97095") + ( + any(ml.nlu_classifier(body.current_thread.text).entities, + .name in ("org", "sender") and strings.icontains(.text, 'Robinhood') + ) + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name in ("callback_scam", "cred_theft") and .confidence != "low" ) - or ( - strings.icontains(sender.display_name, 'Robinhood') - and not ( - 3 of ( - regex.icontains(body.current_thread.text, 'Location:?'), - regex.icontains(body.current_thread.text, 'Time:'), - regex.icontains(body.current_thread.text, 'Device:?'), - regex.icontains(body.current_thread.text, 'IP Address:?') - ) - or strings.icontains(body.current_thread.text, "new passkey added") + ) + or strings.icontains(body.current_thread.text, 'The Robinhood Team') + or regex.icontains(body.current_thread.text, + '©\s*20[0-9]{2}\s*\s*Robinhood' + ) + or 2 of ( + strings.icontains(body.current_thread.text, "Robinhood"), + regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), + strings.icontains(body.current_thread.text, "Menlo Park, CA 97095") + ) + or ( + strings.icontains(sender.display_name, 'Robinhood') + and not ( + 3 of ( + regex.icontains(body.current_thread.text, 'Location:?'), + regex.icontains(body.current_thread.text, 'Time:'), + regex.icontains(body.current_thread.text, 'Device:?'), + regex.icontains(body.current_thread.text, 'IP Address:?') ) - ) - or ( - length(filter(body.links, - strings.icontains(.href_url.url, - 'https://www.facebook.com/robinhood' - ) - or strings.icontains(.href_url.url, - 'https://twitter.com/robinhoodapp' - ) - or strings.icontains(.href_url.url, - 'https://www.youtube.com/@RobinhoodApp' - ) - or strings.icontains(.href_url.url, - 'https://www.instagram.com/robinhood' - ) - ) - ) >= 2 + or strings.icontains(body.current_thread.text, "new passkey added") ) ) - // negate legitimate replies and forwards - and ( + or ( + length(filter(body.links, + strings.icontains(.href_url.url, + 'https://www.facebook.com/robinhood' + ) + or strings.icontains(.href_url.url, + 'https://twitter.com/robinhoodapp' + ) + or strings.icontains(.href_url.url, + 'https://www.youtube.com/@RobinhoodApp' + ) + or strings.icontains(.href_url.url, + 'https://www.instagram.com/robinhood' + ) + ) + ) >= 2 + ) + ) + // negate legitimate replies and forwards + and ( + ( ( - ( - length(headers.references) > 0 - or not any(headers.hops, - any(.fields, strings.ilike(.name, "In-Reply-To")) - ) + length(headers.references) > 0 + or not any(headers.hops, + any(.fields, strings.ilike(.name, "In-Reply-To")) ) - and not (subject.is_reply or subject.is_forward) ) - or length(headers.references) == 0 + and not (subject.is_reply or subject.is_forward) ) - // negate newsletters and webinars - and not any(ml.nlu_classifier(body.current_thread.text).topics, - .name in ("Newsletters and Digests", "Events and Webinars") - and .confidence == "high" + or length(headers.references) == 0 + ) + + // negate newsletters and webinars + and not ( + any(ml.nlu_classifier(body.current_thread.text).topics, + .name in ("Newsletters and Digests", "Events and Webinars") + and .confidence == "high" ) - and not any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "benign" and .confidence == "high" + or any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" ) - and not ( - sender.email.domain.root_domain in ( - "robinhood.com", - "robinhood.org", - "duck.com", // unrelated domain - "robinhoodauctions.com", // unrelated domain - "bitstamp.net" // robinhood acquisition - ) - and coalesce(headers.auth_summary.dmarc.pass, false) + ) + and not ( + sender.email.domain.root_domain in ( + "robinhood.com", + "robinhood.org", + "duck.com", // unrelated domain + "robinhoodauctions.com", // unrelated domain + "bitstamp.net" // robinhood acquisition ) + and coalesce(headers.auth_summary.dmarc.pass, false) + ) ) // negate highly trusted sender domains unless they fail DMARC authentication and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass - ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) + attack_types: - "Credential Phishing" tactics_and_techniques: From fb227a6bfb3511c677f14c9a3a3aba73d678cccf Mon Sep 17 00:00:00 2001 From: CI Bot Date: Tue, 14 Apr 2026 02:27:36 +0000 Subject: [PATCH 6/7] Auto-format MQL and add rule IDs --- .../brand_impersonation_robinhood.yml | 153 +++++++++--------- 1 file changed, 76 insertions(+), 77 deletions(-) diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml index 0a5d1565c05..93c3923cf5f 100644 --- a/detection-rules/brand_impersonation_robinhood.yml +++ b/detection-rules/brand_impersonation_robinhood.yml @@ -5,98 +5,97 @@ severity: "medium" source: | type.inbound and ( - ( - any(ml.nlu_classifier(body.current_thread.text).entities, - .name in ("org", "sender") and strings.icontains(.text, 'Robinhood') - ) - and ( - any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("callback_scam", "cred_theft") and .confidence != "low" + ( + any(ml.nlu_classifier(body.current_thread.text).entities, + .name in ("org", "sender") and strings.icontains(.text, 'Robinhood') ) - ) - or strings.icontains(body.current_thread.text, 'The Robinhood Team') - or regex.icontains(body.current_thread.text, - '©\s*20[0-9]{2}\s*\s*Robinhood' - ) - or 2 of ( - strings.icontains(body.current_thread.text, "Robinhood"), - regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), - strings.icontains(body.current_thread.text, "Menlo Park, CA 97095") - ) - or ( - strings.icontains(sender.display_name, 'Robinhood') - and not ( - 3 of ( - regex.icontains(body.current_thread.text, 'Location:?'), - regex.icontains(body.current_thread.text, 'Time:'), - regex.icontains(body.current_thread.text, 'Device:?'), - regex.icontains(body.current_thread.text, 'IP Address:?') + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name in ("callback_scam", "cred_theft") and .confidence != "low" ) - or strings.icontains(body.current_thread.text, "new passkey added") + ) + or strings.icontains(body.current_thread.text, 'The Robinhood Team') + or regex.icontains(body.current_thread.text, + '©\s*20[0-9]{2}\s*\s*Robinhood' + ) + or 2 of ( + strings.icontains(body.current_thread.text, "Robinhood"), + regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), + strings.icontains(body.current_thread.text, "Menlo Park, CA 97095") + ) + or ( + strings.icontains(sender.display_name, 'Robinhood') + and not ( + 3 of ( + regex.icontains(body.current_thread.text, 'Location:?'), + regex.icontains(body.current_thread.text, 'Time:'), + regex.icontains(body.current_thread.text, 'Device:?'), + regex.icontains(body.current_thread.text, 'IP Address:?') + ) + or strings.icontains(body.current_thread.text, "new passkey added") + ) + ) + or ( + length(filter(body.links, + strings.icontains(.href_url.url, + 'https://www.facebook.com/robinhood' + ) + or strings.icontains(.href_url.url, + 'https://twitter.com/robinhoodapp' + ) + or strings.icontains(.href_url.url, + 'https://www.youtube.com/@RobinhoodApp' + ) + or strings.icontains(.href_url.url, + 'https://www.instagram.com/robinhood' + ) + ) + ) >= 2 ) ) - or ( - length(filter(body.links, - strings.icontains(.href_url.url, - 'https://www.facebook.com/robinhood' - ) - or strings.icontains(.href_url.url, - 'https://twitter.com/robinhoodapp' - ) - or strings.icontains(.href_url.url, - 'https://www.youtube.com/@RobinhoodApp' - ) - or strings.icontains(.href_url.url, - 'https://www.instagram.com/robinhood' - ) - ) - ) >= 2 - ) - ) - // negate legitimate replies and forwards - and ( - ( + // negate legitimate replies and forwards + and ( ( - length(headers.references) > 0 - or not any(headers.hops, - any(.fields, strings.ilike(.name, "In-Reply-To")) + ( + length(headers.references) > 0 + or not any(headers.hops, + any(.fields, strings.ilike(.name, "In-Reply-To")) + ) ) + and not (subject.is_reply or subject.is_forward) ) - and not (subject.is_reply or subject.is_forward) + or length(headers.references) == 0 ) - or length(headers.references) == 0 - ) - // negate newsletters and webinars - and not ( - any(ml.nlu_classifier(body.current_thread.text).topics, - .name in ("Newsletters and Digests", "Events and Webinars") - and .confidence == "high" - ) - or any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "benign" and .confidence == "high" + // negate newsletters and webinars + and not ( + any(ml.nlu_classifier(body.current_thread.text).topics, + .name in ("Newsletters and Digests", "Events and Webinars") + and .confidence == "high" + ) + or any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" + ) ) - ) - and not ( - sender.email.domain.root_domain in ( - "robinhood.com", - "robinhood.org", - "duck.com", // unrelated domain - "robinhoodauctions.com", // unrelated domain - "bitstamp.net" // robinhood acquisition + and not ( + sender.email.domain.root_domain in ( + "robinhood.com", + "robinhood.org", + "duck.com", // unrelated domain + "robinhoodauctions.com", // unrelated domain + "bitstamp.net" // robinhood acquisition + ) + and coalesce(headers.auth_summary.dmarc.pass, false) ) - and coalesce(headers.auth_summary.dmarc.pass, false) - ) ) // negate highly trusted sender domains unless they fail DMARC authentication and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass - ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - attack_types: - "Credential Phishing" tactics_and_techniques: From d9b65cf0530fbf7ed6309d265501a3ed635a801d Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Sun, 26 Apr 2026 16:06:31 -0400 Subject: [PATCH 7/7] Updating format and revising logic https://platform.sublime.security/messages/hunt?huntId=019dcb3b-93d3-781e-b67e-c91372c3d122 --- .../brand_impersonation_robinhood.yml | 149 +++++++++--------- 1 file changed, 76 insertions(+), 73 deletions(-) diff --git a/detection-rules/brand_impersonation_robinhood.yml b/detection-rules/brand_impersonation_robinhood.yml index 93c3923cf5f..226759b7bee 100644 --- a/detection-rules/brand_impersonation_robinhood.yml +++ b/detection-rules/brand_impersonation_robinhood.yml @@ -11,90 +11,93 @@ source: | ) and ( any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("callback_scam", "cred_theft") and .confidence != "low" + .name == "callback_scam" and .confidence != "low" ) ) - or strings.icontains(body.current_thread.text, 'The Robinhood Team') - or regex.icontains(body.current_thread.text, - '©\s*20[0-9]{2}\s*\s*Robinhood' - ) - or 2 of ( - strings.icontains(body.current_thread.text, "Robinhood"), - regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), - strings.icontains(body.current_thread.text, "Menlo Park, CA 97095") - ) - or ( - strings.icontains(sender.display_name, 'Robinhood') - and not ( - 3 of ( - regex.icontains(body.current_thread.text, 'Location:?'), - regex.icontains(body.current_thread.text, 'Time:'), - regex.icontains(body.current_thread.text, 'Device:?'), - regex.icontains(body.current_thread.text, 'IP Address:?') - ) - or strings.icontains(body.current_thread.text, "new passkey added") - ) - ) - or ( - length(filter(body.links, - strings.icontains(.href_url.url, - 'https://www.facebook.com/robinhood' - ) - or strings.icontains(.href_url.url, - 'https://twitter.com/robinhoodapp' - ) - or strings.icontains(.href_url.url, - 'https://www.youtube.com/@RobinhoodApp' - ) - or strings.icontains(.href_url.url, - 'https://www.instagram.com/robinhood' - ) - ) - ) >= 2 - ) ) - // negate legitimate replies and forwards - and ( - ( - ( - length(headers.references) > 0 - or not any(headers.hops, - any(.fields, strings.ilike(.name, "In-Reply-To")) - ) - ) - and not (subject.is_reply or subject.is_forward) - ) - or length(headers.references) == 0 + or strings.icontains(body.current_thread.text, 'The Robinhood Team') + or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood') + or strings.icontains(body.current_thread.text, "(888) 344-3957") + or strings.icontains(body.current_thread.text, "Financial LLC (Member SIPC)") + or strings.icontains(body.current_thread.text, + "Securities, LLC (Member SIPC)" ) - - // negate newsletters and webinars - and not ( - any(ml.nlu_classifier(body.current_thread.text).topics, - .name in ("Newsletters and Digests", "Events and Webinars") - and .confidence == "high" - ) - or any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "benign" and .confidence == "high" - ) + or 2 of ( + strings.icontains(body.current_thread.text, "Robinhood"), + regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'), + strings.icontains(body.current_thread.text, "Menlo Park, CA 97095"), + regex.icontains(body.current_thread.text, 'Email ID:?') ) - and not ( - sender.email.domain.root_domain in ( - "robinhood.com", - "robinhood.org", - "duck.com", // unrelated domain - "robinhoodauctions.com", // unrelated domain - "bitstamp.net" // robinhood acquisition + or ( + strings.icontains(sender.display_name, 'Robinhood') + and ( + 3 of ( + regex.icontains(body.current_thread.text, 'Location:?'), + regex.icontains(body.current_thread.text, 'Time:'), + regex.icontains(body.current_thread.text, 'Device:?'), + regex.icontains(body.current_thread.text, 'IP Address:?'), + regex.icontains(body.current_thread.text, 'Date:'), + regex.icontains(body.current_thread.text, 'Region:?'), + regex.icontains(body.current_thread.text, 'App:?'), + ) + or strings.icontains(body.current_thread.text, "new passkey added") + or strings.icontains(body.current_thread.text, + "Security support phone number:" + ) ) - and coalesce(headers.auth_summary.dmarc.pass, false) + ) + or ( + length(filter(body.links, + strings.icontains(.href_url.url, + 'https://www.facebook.com/robinhood' + ) + or strings.icontains(.href_url.url, + 'https://twitter.com/robinhoodapp' + ) + or strings.icontains(.href_url.url, + 'https://www.youtube.com/@RobinhoodApp' + ) + or strings.icontains(.href_url.url, + 'https://www.instagram.com/robinhood' + ) + ) + ) >= 2 ) ) - // negate highly trusted sender domains unless they fail DMARC authentication + // negate legitimate replies and forwards and ( ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass + ( + length(headers.references) > 0 + or not any(headers.hops, + any(.fields, strings.ilike(.name, "In-Reply-To")) + ) + ) + and not (subject.is_reply or subject.is_forward) + ) + or length(headers.references) == 0 + ) + // negate newsletters and webinars + and not any(ml.nlu_classifier(body.current_thread.text).topics, + .name in ( + "Newsletters and Digests", + "Health and Wellness", + "Events and Webinars" + ) + and .confidence == "high" + ) + and not any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" + ) + and not ( + sender.email.domain.root_domain in ( + "robinhood.com", + "robinhood.org", + "duck.com", // unrelated domain + "robinhoodauctions.com", // unrelated domain + "bitstamp.net" // robinhood acquisition ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains + and coalesce(headers.auth_summary.dmarc.pass, false) ) attack_types: - "Credential Phishing"