Brand impersonation: Barracuda Networks

name: "Brand impersonation: Barracuda Networks"
description: |
  Impersonation of Barracuda Networks, an IT security company.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    strings.ilike(sender.display_name, '*barracuda*')
    or strings.ilevenshtein(sender.display_name, 'barracuda') <= 1
    or strings.ilike(sender.email.domain.domain, '*barracuda*')
  )
  and sender.email.domain.root_domain not in (
    'barracuda.com',
    'barracudamsp.com',
    'barracudanetworks.com',
    'netsuite.com',
  
    // hockey team
    'sharkssports.net',
    'sjbarracuda.com',
  
    // Barracuda Barcatering
    'barracuda-barcatering.de',
  
    // Barracuda Events Team
    'worldspan.co.uk',
  
    // Barracudas Day Camps
    'barracudas.co.uk',
  
    // BarracudaShoes
    'barracudashoes.it'
  )
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"