EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: Interac

Impersonation of the Canadian interbanking network Interac. Seen in the wild impersonating carbon tax rebates and tax return refunds.

MITRE ATT&CK

T1566.002T1534T1656T1598.003T1583.001T1566T1598
initial-access

Detection Query

type.inbound
and (
  strings.ilike(sender.display_name, '*interac e-transfer*')
  or strings.ilike(sender.display_name, "*interac e?trasfer*")
  or strings.ilike(subject.subject, '*interac e-transfer*')
  or strings.ilevenshtein(sender.display_name, 'interac e-transfer') <= 2
)
and sender.email.domain.root_domain not in ('interac.ca')
and 1 of (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "org" and strings.icontains(.text, "interac")
  ),
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  ),
)
and not profile.by_sender().solicited

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Interac"
description: "Impersonation of the Canadian interbanking network Interac. Seen in the wild impersonating carbon tax rebates and tax return refunds."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    strings.ilike(sender.display_name, '*interac e-transfer*')
    or strings.ilike(sender.display_name, "*interac e?trasfer*")
    or strings.ilike(subject.subject, '*interac e-transfer*')
    or strings.ilevenshtein(sender.display_name, 'interac e-transfer') <= 2
  )
  and sender.email.domain.root_domain not in ('interac.ca')
  and 1 of (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "org" and strings.icontains(.text, "interac")
    ),
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
    ),
  )
  and not profile.by_sender().solicited
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "50a883dc-a2f8-56d7-ad91-a8397e4ab941"