EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: Hulu

Impersonation of Hulu.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1583.001
initial-access

Detection Query

type.inbound
and (
  regex.icontains(sender.display_name, '\bhulu\b')
  or (
    strings.ilevenshtein(sender.display_name, 'hulu') <= 1
    and not (
      // lulu.com is a self publisher
      sender.display_name =~ "lulu"
      and sender.email.domain.root_domain == "lulu.com"
    )
    and not (
      // hudu.com is an IT documentation management platform
      sender.display_name =~ "hudu"
      and sender.email.domain.root_domain == "hudu.com"
    )
  )
  or strings.ilike(sender.email.domain.domain, '*hulu*')
  or (
    (
      length(recipients.to) == 0
      or (
        all(recipients.to, .email.domain.valid == false)
        and all(recipients.cc, .email.domain.valid == false)
      )
    )
    and any(ml.logo_detect(file.message_screenshot()).brands,
            .name == "Hulu" and .confidence in ("medium", "high")
    )
  )
)
and (
  sender.email.domain.root_domain not in (
    'hulu.com',
    'hulumail.com',
    'hulu.jp',
    'hulu-japan.jp'
  )
  or (
    sender.email.domain.root_domain in (
      'hulu.com',
      'hulumail.com',
      'hulu.jp',
      'hulu-japan.jp'
    )
    and not headers.auth_summary.dmarc.pass
  )
)
and not profile.by_sender().solicited

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Hulu"
description: "Impersonation of Hulu."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    regex.icontains(sender.display_name, '\bhulu\b')
    or (
      strings.ilevenshtein(sender.display_name, 'hulu') <= 1
      and not (
        // lulu.com is a self publisher
        sender.display_name =~ "lulu"
        and sender.email.domain.root_domain == "lulu.com"
      )
      and not (
        // hudu.com is an IT documentation management platform
        sender.display_name =~ "hudu"
        and sender.email.domain.root_domain == "hudu.com"
      )
    )
    or strings.ilike(sender.email.domain.domain, '*hulu*')
    or (
      (
        length(recipients.to) == 0
        or (
          all(recipients.to, .email.domain.valid == false)
          and all(recipients.cc, .email.domain.valid == false)
        )
      )
      and any(ml.logo_detect(file.message_screenshot()).brands,
              .name == "Hulu" and .confidence in ("medium", "high")
      )
    )
  )
  and (
    sender.email.domain.root_domain not in (
      'hulu.com',
      'hulumail.com',
      'hulu.jp',
      'hulu-japan.jp'
    )
    or (
      sender.email.domain.root_domain in (
        'hulu.com',
        'hulumail.com',
        'hulu.jp',
        'hulu-japan.jp'
      )
      and not headers.auth_summary.dmarc.pass
    )
  )
  and not profile.by_sender().solicited
attack_types:
  - "Credential Phishing"
  - "Spam"
tactics_and_techniques:
  - "Free email provider"
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Header analysis"
  - "Sender analysis"
id: "6833de58-23b6-5dea-b7c9-74e7287d8c13"