← Back to Explore
sublimemediumRule
Brand impersonation: Enbridge
Impersonation of the Canadian energy company Enbridge.
Detection Query
type.inbound
and (
strings.ilike(sender.display_name, '*enbridge*')
or strings.ilike(sender.email.domain.domain, '*enbridge*')
or strings.ilike(subject.subject, '*enbridge*')
)
and any(body.links,
strings.ilike(.display_text, "*pay now*", "*view your bill*")
)
// negate replies
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and sender.email.domain.root_domain not in~ (
'enbridge.com',
'enbridgegas.com',
// Enbridge Subsidiaries
'domenergyoheb.com', // Dominion Energy Ohio
'domenergyuteb.com' // Dominion Energy Utah
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Enbridge"
description: "Impersonation of the Canadian energy company Enbridge."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
strings.ilike(sender.display_name, '*enbridge*')
or strings.ilike(sender.email.domain.domain, '*enbridge*')
or strings.ilike(subject.subject, '*enbridge*')
)
and any(body.links,
strings.ilike(.display_text, "*pay now*", "*view your bill*")
)
// negate replies
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and sender.email.domain.root_domain not in~ (
'enbridge.com',
'enbridgegas.com',
// Enbridge Subsidiaries
'domenergyoheb.com', // Dominion Energy Ohio
'domenergyuteb.com' // Dominion Energy Utah
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "203a6a28-d569-590a-9551-24b4b716b469"