EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand impersonation: Automobile assistance associations

Detects messages impersonating automobile associations (AAA, CAA, RAC, etc.) offering vehicle emergency kits or roadside assistance services from untrusted senders.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "org"
      and .text in~ (
        'AAA', // American Automobile Assoc.
        'RAC', // UK Royal Automobile Club
        'RAA', // Australia Royal Automotive Assoc.
        'CAA', // Canadian Automobile Assoc.
        'BCAA', // BC Automobile Assoc.
        'AMA', // Alberta Motor Assoc.
      )
  )
)
and regex.icontains(body.current_thread.text,
                    '(?:car|vehicle|motor|driver|emergency|road.?side|break.?down|assist|save|discount|complimentary|free\b).{0,10}kit'
)
// and the sender is not from high trust sender root domains
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
// negate newsletters and quarantine notifications
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in ("Newsletters and Digests") and .confidence != "low"
  )
  or strings.icontains(subject.subject, "quarantine")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Automobile assistance associations"
description: "Detects messages impersonating automobile associations (AAA, CAA, RAC, etc.) offering vehicle emergency kits or roadside assistance services from untrusted senders."
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "org"
        and .text in~ (
          'AAA', // American Automobile Assoc.
          'RAC', // UK Royal Automobile Club
          'RAA', // Australia Royal Automotive Assoc.
          'CAA', // Canadian Automobile Assoc.
          'BCAA', // BC Automobile Assoc.
          'AMA', // Alberta Motor Assoc.
        )
    )
  )
  and regex.icontains(body.current_thread.text,
                      '(?:car|vehicle|motor|driver|emergency|road.?side|break.?down|assist|save|discount|complimentary|free\b).{0,10}kit'
  )
  // and the sender is not from high trust sender root domains
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  // negate newsletters and quarantine notifications
  and not (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Newsletters and Digests") and .confidence != "low"
    )
    or strings.icontains(subject.subject, "quarantine")
  )


attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Header analysis"
  - "Sender analysis"
id: "283f7fe5-afa2-5a2b-bd6c-0df687ed4a11"