sublimehighRule

Brand impersonation: Apple

Impersonation of Apple.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1598.003

initial-access

Detection Query

type.inbound
and (
  sender.display_name =~ 'apple developer'
  or strings.ilevenshtein(sender.display_name, 'apple developer') <= 2
)
and sender.email.domain.root_domain !~ 'apple.com'
and sender.email.email not in $recipient_emails

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://www.computerworld.com/article/3538470/how-to-protect-against-apple-phishing-scams.html

Raw Content

name: "Brand impersonation: Apple"
description: |
  Impersonation of Apple.
references:
  - "https://www.computerworld.com/article/3538470/how-to-protect-against-apple-phishing-scams.html"
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    sender.display_name =~ 'apple developer'
    or strings.ilevenshtein(sender.display_name, 'apple developer') <= 2
  )
  and sender.email.domain.root_domain !~ 'apple.com'
  and sender.email.email not in $recipient_emails
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "0b17f2c2-e100-5d51-b53e-ee3da0431f1d"