← Back to Explore
sublimelowRule
Brand impersonation: Exodus
Attack impersonating Exodus Wallet.
Detection Query
type.inbound
and (
strings.ilike(sender.display_name, "*exodus*")
or (
strings.ilike(sender.email.domain.root_domain, "*exodus*")
and network.whois(sender.email.domain).days_old <= 30
)
)
and sender.email.domain.root_domain not in (
"exodus.com",
"exodus.io",
"exodusescaperoom.com"
)
and sender.email.email not in $recipient_emails
and (
any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.text == "wallet"
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Cryptocurrency
Raw Content
name: "Brand impersonation: Exodus"
description: |
Attack impersonating Exodus Wallet.
references:
- "https://exodus.com"
type: "rule"
severity: "low"
source: |
type.inbound
and (
strings.ilike(sender.display_name, "*exodus*")
or (
strings.ilike(sender.email.domain.root_domain, "*exodus*")
and network.whois(sender.email.domain).days_old <= 30
)
)
and sender.email.domain.root_domain not in (
"exodus.com",
"exodus.io",
"exodusescaperoom.com"
)
and sender.email.email not in $recipient_emails
and (
any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.text == "wallet"
)
)
tags:
- "Cryptocurrency"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "40c77ecc-782d-595a-a042-7fe7e4d756ee"