← Back to Explore
sublimelowRule
Brand impersonation: Ledger
Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
Detection Query
type.inbound
and (
(
sender.email.domain.root_domain == 'ledger.com'
and headers.return_path.domain.root_domain not in (
'ledger.com',
'amazonses.com',
'ledger.fr',
'hubspotemail.net'
)
)
or (
(
// only match ledger actual domains if dmarc fails
not (
sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
and headers.auth_summary.dmarc.pass
)
or not sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
)
and (
strings.ilike(sender.email.email, '*-ledger.com*')
or sender.display_name =~ "ledger"
or strings.istarts_with(sender.display_name, "ledger")
or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
)
and (
// if this comes from a free email provider,
// flag if org has never sent an email to sender's email before
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
// if this comes from a custom domain,
// flag if org has never sent an email to sender's domain before
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
)
)
and sender.email.domain.root_domain not in (
// Fortune has a newsletter called "The Ledger"
'fortune.com',
'velocityledger.com',
'lever.co',
'queensledger.com',
'libertyledger.com',
'uledger.io',
'ledgers.org.uk',
'leger.co.uk',
'xledger.net'
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Cryptocurrency
Raw Content
name: "Brand impersonation: Ledger"
description: |
Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
references:
- "https://ledger.com"
type: "rule"
severity: "low"
source: |
type.inbound
and (
(
sender.email.domain.root_domain == 'ledger.com'
and headers.return_path.domain.root_domain not in (
'ledger.com',
'amazonses.com',
'ledger.fr',
'hubspotemail.net'
)
)
or (
(
// only match ledger actual domains if dmarc fails
not (
sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
and headers.auth_summary.dmarc.pass
)
or not sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
)
and (
strings.ilike(sender.email.email, '*-ledger.com*')
or sender.display_name =~ "ledger"
or strings.istarts_with(sender.display_name, "ledger")
or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
)
and (
// if this comes from a free email provider,
// flag if org has never sent an email to sender's email before
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
// if this comes from a custom domain,
// flag if org has never sent an email to sender's domain before
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
)
)
and sender.email.domain.root_domain not in (
// Fortune has a newsletter called "The Ledger"
'fortune.com',
'velocityledger.com',
'lever.co',
'queensledger.com',
'libertyledger.com',
'uledger.io',
'ledgers.org.uk',
'leger.co.uk',
'xledger.net'
)
tags:
- "Cryptocurrency"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"