← Back to Explore
sublimelowRule
Brand impersonation: Stellar Development Foundation (SDF)
Attack impersonating Stellar Development Foundation (SDF).
Detection Query
type.inbound
and regex.imatch(sender.display_name, '\bstellar\b')
and sender.email.domain.root_domain != "stellar.org"
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Cryptocurrency
Raw Content
name: "Brand impersonation: Stellar Development Foundation (SDF)"
description: |
Attack impersonating Stellar Development Foundation (SDF).
references:
- "https://www.stellar.org"
- "https://cyberint.com/blog/research/phishing-for-lumens-a-stellar-stealing-campaign/"
type: "rule"
severity: "low"
source: |
type.inbound
and regex.imatch(sender.display_name, '\bstellar\b')
and sender.email.domain.root_domain != "stellar.org"
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
tags:
- "Cryptocurrency"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Sender analysis"
id: "2af9ab94-77b2-5bf9-89f5-5206ee214d57"