← Back to Explore
sublimelowRule
Brand impersonation: Norton
Scans files to detect Norton (Lifelock|360|Security) impersonation.
Detection Query
type.inbound
and sender.email.domain.domain != "norton.com"
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
(
strings.ilike(.file_name, "*norton*")
and not (
any(recipients.to, strings.iends_with(.display_name, "Norton"))
)
)
or any(file.explode(.),
regex.icontains(.scan.ocr.raw,
".*norton.?60.*",
".*lifelock.*",
".*norton.?security.*",
".*norton.?anti.?virus.*",
".*Norton.{2,3}subscription.*"
)
)
)
)
and (
(
// if freemail, flag if it's a first-time sender
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
// if custom domain, we want to avoid flagging
// on the real Norton invoices
// so we flag if it's not a first-time sender
// and if it's not in the tranco 1M w/ a reply-to mismatch
// for example we've observed:
// Sender: Norton <quickbooks@notification.intuit.com>
// Reply-to: foo@outlook.com
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
and (
sender.email.domain.root_domain not in $tranco_1m
or any(headers.reply_to,
.email.domain.domain != sender.email.domain.domain
)
)
)
or (
(
length(recipients.to) == 0
or all(recipients.to, .display_name == "Undisclosed recipients")
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
- https://techaeris.com/2021/10/23/psa-watch-out-for-norton-lifelock-phishing-emails/
- https://playground.sublimesecurity.com?id=31310ef5-8725-49b8-9c33-6b18ecdb5ba0
- https://playground.sublimesecurity.com?id=a67bc61c-28f0-4904-a046-4584e706697d
- https://playground.sublimesecurity.com?id=3f5809c9-43cf-4f0c-a709-6f9e3912dbb4
Raw Content
name: "Brand impersonation: Norton"
description: |
Scans files to detect Norton (Lifelock|360|Security) impersonation.
references:
- "https://techaeris.com/2021/10/23/psa-watch-out-for-norton-lifelock-phishing-emails/"
- "https://playground.sublimesecurity.com?id=31310ef5-8725-49b8-9c33-6b18ecdb5ba0"
- "https://playground.sublimesecurity.com?id=a67bc61c-28f0-4904-a046-4584e706697d"
- "https://playground.sublimesecurity.com?id=3f5809c9-43cf-4f0c-a709-6f9e3912dbb4"
type: "rule"
severity: "low"
source: |
type.inbound
and sender.email.domain.domain != "norton.com"
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
(
strings.ilike(.file_name, "*norton*")
and not (
any(recipients.to, strings.iends_with(.display_name, "Norton"))
)
)
or any(file.explode(.),
regex.icontains(.scan.ocr.raw,
".*norton.?60.*",
".*lifelock.*",
".*norton.?security.*",
".*norton.?anti.?virus.*",
".*Norton.{2,3}subscription.*"
)
)
)
)
and (
(
// if freemail, flag if it's a first-time sender
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
// if custom domain, we want to avoid flagging
// on the real Norton invoices
// so we flag if it's not a first-time sender
// and if it's not in the tranco 1M w/ a reply-to mismatch
// for example we've observed:
// Sender: Norton <quickbooks@notification.intuit.com>
// Reply-to: foo@outlook.com
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
and (
sender.email.domain.root_domain not in $tranco_1m
or any(headers.reply_to,
.email.domain.domain != sender.email.domain.domain
)
)
)
or (
(
length(recipients.to) == 0
or all(recipients.to, .display_name == "Undisclosed recipients")
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free email provider"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Sender analysis"
id: "32bd9efd-67ba-54e2-81d0-89cf16e85a70"