← Back to Explore
sublimehighRule
Brand impersonation: Wells Fargo
Impersonation of Wells Fargo Bank.
Detection Query
type.inbound
and (
sender.display_name =~ 'wellsfargo'
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'wellsfargo'
) <= 1
or regex.icontains(strings.replace_confusables(sender.display_name),
'we(ll|ii)s?\s?farg(o|o͙)'
)
or strings.ilike(sender.email.domain.domain, '*wellsfargo*')
or strings.ilike(subject.subject, '*wells fargo security*')
or strings.ilike(body.plain.raw, '*wells fargo security team*')
or strings.ilike(body.html.inner_text, '*wells fargo security team*')
)
and sender.email.domain.root_domain not in~ (
'wellsfargo.com',
'wellsfargoadvisors.com',
'transunion.com',
'wellsfargoemail.com',
'wellsfargorewards.com',
'comcast-spectacor.com',
'investordelivery.com',
'comcastspectacor.com',
'wfadvisors.com',
'wellsfargomerchantservicesllc.com'
)
and (
sender.email.email not in $recipient_emails
or regex.icontains(sender.email.email, "no.?reply")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
or sender.email.email in (
"drive-shares-noreply@google.com",
"drive-shares-dm-noreply@google.com"
) // Google Drive abuse has been observed
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Brand impersonation: Wells Fargo"
description: |
Impersonation of Wells Fargo Bank.
references:
- "https://www.americanbanker.com/news/wells-fargo-customers-targeted-with-phishing-attacks-using-calendar-invites"
- "https://www.wellsfargo.com/biz/help/faqs/credit-card-rewards/"
type: "rule"
severity: "high"
source: |
type.inbound
and (
sender.display_name =~ 'wellsfargo'
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'wellsfargo'
) <= 1
or regex.icontains(strings.replace_confusables(sender.display_name),
'we(ll|ii)s?\s?farg(o|o͙)'
)
or strings.ilike(sender.email.domain.domain, '*wellsfargo*')
or strings.ilike(subject.subject, '*wells fargo security*')
or strings.ilike(body.plain.raw, '*wells fargo security team*')
or strings.ilike(body.html.inner_text, '*wells fargo security team*')
)
and sender.email.domain.root_domain not in~ (
'wellsfargo.com',
'wellsfargoadvisors.com',
'transunion.com',
'wellsfargoemail.com',
'wellsfargorewards.com',
'comcast-spectacor.com',
'investordelivery.com',
'comcastspectacor.com',
'wfadvisors.com',
'wellsfargomerchantservicesllc.com'
)
and (
sender.email.email not in $recipient_emails
or regex.icontains(sender.email.email, "no.?reply")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
or sender.email.email in (
"drive-shares-noreply@google.com",
"drive-shares-dm-noreply@google.com"
) // Google Drive abuse has been observed
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
id: "02d7301f-cc29-5031-9a1e-f013400805ba"