sublimemediumRule

Brand impersonation: Twitter

Impersonation of Twitter.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1598.003 T1583.001

initial-access

Detection Query

type.inbound
and (
  // Twitter logic
  (
    sender.display_name =~ "twitter"
    or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
    or strings.ilike(sender.email.domain.domain, '*twitter*')
  )
  // "X" logic
  or (
    (
      3 of (
        strings.iends_with(sender.email.domain.root_domain, "-x.com"),
        strings.icontains(sender.email.local_part, "x-corp"),
        any(body.links,
            strings.iends_with(.href_url.domain.root_domain, "-x.com")
            or strings.istarts_with(.href_url.domain.subdomain, "x-corp")
        ),
        strings.ilike(body.current_thread.text,
                      "*content dispute*",
                      "*copyright*",
                      "*appeal*"
        ),
        strings.contains(body.current_thread.text, '1355 Market Street'),
        strings.contains(body.current_thread.text, 'San Francisco, CA 94103'),
        strings.contains(body.current_thread.text, 'X Corp'),
        strings.ilike(body.current_thread.text, '*865 FM 1209*bastrop*')
      )
      or (
        length(ml.logo_detect(file.message_screenshot()).brands) == 1
        and any(ml.logo_detect(file.message_screenshot()).brands,
                .name == "X" and .confidence == "high"
        )
        and (
          any(ml.nlu_classifier(body.current_thread.text).intents,
              .name == "cred_theft" and .confidence == "high"
          )
          or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
                 .name == "cred_theft" and .confidence == "high"
          )
        )
      )
    )
    and any(beta.ml_topic(body.current_thread.text).topics,
            .name in (
              "Reminders and Notifications",
              "Security and Authentication",
              "Legal and Compliance",
              "Customer Service and Support"
            )
    )
  )
)
and sender.email.domain.domain not in~ (
  'twitter.com',
  'privaterelay.appleid.com',
  'stripe.com',
  'x.com',
  'twitter.discoursemail.com',
  'slack.com'
)
// negate Hearsay Systems which sends notifications from sender domain ending in twitter.com
and not (
  strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
  and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
)
and sender.email.email not in $recipient_emails

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/

Raw Content

name: "Brand impersonation: Twitter"
description: |
  Impersonation of Twitter.
references:
  - "https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    // Twitter logic
    (
      sender.display_name =~ "twitter"
      or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
      or strings.ilike(sender.email.domain.domain, '*twitter*')
    )
    // "X" logic
    or (
      (
        3 of (
          strings.iends_with(sender.email.domain.root_domain, "-x.com"),
          strings.icontains(sender.email.local_part, "x-corp"),
          any(body.links,
              strings.iends_with(.href_url.domain.root_domain, "-x.com")
              or strings.istarts_with(.href_url.domain.subdomain, "x-corp")
          ),
          strings.ilike(body.current_thread.text,
                        "*content dispute*",
                        "*copyright*",
                        "*appeal*"
          ),
          strings.contains(body.current_thread.text, '1355 Market Street'),
          strings.contains(body.current_thread.text, 'San Francisco, CA 94103'),
          strings.contains(body.current_thread.text, 'X Corp'),
          strings.ilike(body.current_thread.text, '*865 FM 1209*bastrop*')
        )
        or (
          length(ml.logo_detect(file.message_screenshot()).brands) == 1
          and any(ml.logo_detect(file.message_screenshot()).brands,
                  .name == "X" and .confidence == "high"
          )
          and (
            any(ml.nlu_classifier(body.current_thread.text).intents,
                .name == "cred_theft" and .confidence == "high"
            )
            or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
                   .name == "cred_theft" and .confidence == "high"
            )
          )
        )
      )
      and any(beta.ml_topic(body.current_thread.text).topics,
              .name in (
                "Reminders and Notifications",
                "Security and Authentication",
                "Legal and Compliance",
                "Customer Service and Support"
              )
      )
    )
  )
  and sender.email.domain.domain not in~ (
    'twitter.com',
    'privaterelay.appleid.com',
    'stripe.com',
    'x.com',
    'twitter.discoursemail.com',
    'slack.com'
  )
  // negate Hearsay Systems which sends notifications from sender domain ending in twitter.com
  and not (
    strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
    and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
  )
  and sender.email.email not in $recipient_emails

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
id: "013c32c2-fa05-5456-9c45-284e008ff6a4"