EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: LinkedIn

Impersonation of LinkedIn.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1583.001
initial-access

Detection Query

type.inbound
and (
  sender.display_name =~ 'linkedin'
  or strings.ilevenshtein(sender.display_name, 'linkedin') <= 2
  or strings.ilevenshtein(sender.email.domain.root_domain, 'linkedin.com') <= 2
  or strings.ilike(sender.email.domain.root_domain, "*linkedin.com")
  or (
    strings.ilike(sender.display_name, "*linkedin*")
    and 1 of (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name in ("cred_theft", "steal_pii") and .confidence == "high"
      ),
      network.whois(sender.email.domain).days_old <= 30
      and strings.ilike(sender.email.email, "*linkedin*"),
      (
        length(headers.reply_to) > 0
        and all(headers.reply_to,
                .email.domain.root_domain != sender.email.domain.root_domain
        )
        and all(headers.reply_to,
                .email.domain.root_domain != headers.return_path.domain.root_domain
        )
        and sender.email.domain.root_domain != headers.return_path.domain.root_domain
      )
    )
  )
)
and sender.email.domain.root_domain not in (
  'linkedin.com',
  'smartrecruiters.com',
  'teams-events.com',
  'linkeen.com'
)
and sender.email.domain.domain not in ('linkedin.coupahost.com')
and sender.email.email not in $recipient_emails
and not regex.icontains(headers.message_id, '[^-]linkedin.com>$')

// LinkedIn corporate uses DocuSign
and not (
  sender.email.domain.root_domain in~ ('docusign.net', 'docusign.com')
  and all(headers.reply_to, .email.domain.root_domain == 'linkedin.com')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Raw Content
name: "Brand impersonation: LinkedIn"
description: |
  Impersonation of LinkedIn.
references:
  - "https://www.arcyber.army.mil/Info/Fact-Sheets/Fact-Sheet-View-Page/Article/1972156/army-cyber-fact-sheet-linkedin-scams/"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    sender.display_name =~ 'linkedin'
    or strings.ilevenshtein(sender.display_name, 'linkedin') <= 2
    or strings.ilevenshtein(sender.email.domain.root_domain, 'linkedin.com') <= 2
    or strings.ilike(sender.email.domain.root_domain, "*linkedin.com")
    or (
      strings.ilike(sender.display_name, "*linkedin*")
      and 1 of (
        any(ml.nlu_classifier(body.current_thread.text).intents,
            .name in ("cred_theft", "steal_pii") and .confidence == "high"
        ),
        network.whois(sender.email.domain).days_old <= 30
        and strings.ilike(sender.email.email, "*linkedin*"),
        (
          length(headers.reply_to) > 0
          and all(headers.reply_to,
                  .email.domain.root_domain != sender.email.domain.root_domain
          )
          and all(headers.reply_to,
                  .email.domain.root_domain != headers.return_path.domain.root_domain
          )
          and sender.email.domain.root_domain != headers.return_path.domain.root_domain
        )
      )
    )
  )
  and sender.email.domain.root_domain not in (
    'linkedin.com',
    'smartrecruiters.com',
    'teams-events.com',
    'linkeen.com'
  )
  and sender.email.domain.domain not in ('linkedin.coupahost.com')
  and sender.email.email not in $recipient_emails
  and not regex.icontains(headers.message_id, '[^-]linkedin.com>$')
  
  // LinkedIn corporate uses DocuSign
  and not (
    sender.email.domain.root_domain in~ ('docusign.net', 'docusign.com')
    and all(headers.reply_to, .email.domain.root_domain == 'linkedin.com')
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "1a0cde6d-ce91-575f-a6a4-7a88b12f2ca4"