← Back to Explore
sublimemediumRule
Brand impersonation: Robinhood
Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication.
Detection Query
type.inbound
and (
(
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("org", "sender") and strings.icontains(.text, 'Robinhood')
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence != "low"
)
)
)
or strings.icontains(body.current_thread.text, 'The Robinhood Team')
or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood')
or 2 of (
strings.icontains(body.current_thread.text, "Robinhood"),
regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'),
strings.icontains(body.current_thread.text, "Menlo Park, CA 97095")
)
or (
strings.icontains(sender.display_name, 'Robinhood')
and (
3 of (
regex.icontains(body.current_thread.text, 'Location:?'),
regex.icontains(body.current_thread.text, 'Time:'),
regex.icontains(body.current_thread.text, 'Device:?'),
regex.icontains(body.current_thread.text, 'IP Address:?')
)
or strings.icontains(body.current_thread.text, "new passkey added")
)
)
or (
length(filter(body.links,
strings.icontains(.href_url.url,
'https://www.facebook.com/robinhood'
)
or strings.icontains(.href_url.url,
'https://twitter.com/robinhoodapp'
)
or strings.icontains(.href_url.url,
'https://www.youtube.com/@RobinhoodApp'
)
or strings.icontains(.href_url.url,
'https://www.instagram.com/robinhood'
)
)
) >= 2
)
)
// negate legitimate replies and forwards
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (subject.is_reply or subject.is_forward)
)
or length(headers.references) == 0
)
// negate newsletters and webinars
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Newsletters and Digests", "Events and Webinars")
and .confidence == "high"
)
and not (
sender.email.domain.root_domain in (
"robinhood.com",
"robinhood.org",
"duck.com", // unrelated domain
"robinhoodauctions.com", // unrelated domain
"bitstamp.net" // robinhood acquisition
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Robinhood"
description: "Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
(
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("org", "sender") and strings.icontains(.text, 'Robinhood')
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence != "low"
)
)
)
or strings.icontains(body.current_thread.text, 'The Robinhood Team')
or regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*\s*Robinhood')
or 2 of (
strings.icontains(body.current_thread.text, "Robinhood"),
regex.icontains(body.current_thread.text, '42 Willow (?:Road|St)'),
strings.icontains(body.current_thread.text, "Menlo Park, CA 97095")
)
or (
strings.icontains(sender.display_name, 'Robinhood')
and (
3 of (
regex.icontains(body.current_thread.text, 'Location:?'),
regex.icontains(body.current_thread.text, 'Time:'),
regex.icontains(body.current_thread.text, 'Device:?'),
regex.icontains(body.current_thread.text, 'IP Address:?')
)
or strings.icontains(body.current_thread.text, "new passkey added")
)
)
or (
length(filter(body.links,
strings.icontains(.href_url.url,
'https://www.facebook.com/robinhood'
)
or strings.icontains(.href_url.url,
'https://twitter.com/robinhoodapp'
)
or strings.icontains(.href_url.url,
'https://www.youtube.com/@RobinhoodApp'
)
or strings.icontains(.href_url.url,
'https://www.instagram.com/robinhood'
)
)
) >= 2
)
)
// negate legitimate replies and forwards
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (subject.is_reply or subject.is_forward)
)
or length(headers.references) == 0
)
// negate newsletters and webinars
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Newsletters and Digests", "Events and Webinars")
and .confidence == "high"
)
and not (
sender.email.domain.root_domain in (
"robinhood.com",
"robinhood.org",
"duck.com", // unrelated domain
"robinhoodauctions.com", // unrelated domain
"bitstamp.net" // robinhood acquisition
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "7c8eca19-63ac-5cd3-a92b-4fb34b526683"