← Back to Explore
sublimemediumRule
Impersonation: Legal firm with copyright infringement notice
Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands.
Detection Query
type.inbound
and length(body.previous_threads) == 0
and length(body.current_thread.text) < 5000
and 0 < length(body.links) < 10
// common strings in subject or base
and (
2 of (
strings.ilike(subject.base, '*Content*'),
strings.ilike(subject.base, '*Compliance*'),
strings.ilike(subject.base, '*Review*'),
strings.ilike(subject.base, '*Legal*'),
strings.ilike(subject.base, '*Formal*'),
strings.ilike(subject.base, '*LLP*'),
strings.ilike(subject.base, '*Unauthorized*'),
strings.ilike(subject.base, '*Trademark*'),
strings.ilike(subject.base, '*Law*'),
strings.ilike(subject.base, '*Enforcement*'),
strings.ilike(subject.base, '*Copyright*'),
strings.ilike(subject.base, '*Violat*'),
strings.ilike(subject.base, '*Intellectual*'),
strings.ilike(subject.base, '*Concerning*'),
strings.ilike(subject.base, '*Notice*'),
strings.ilike(subject.base, '*Clarification*'),
strings.ilike(subject.base, '*Matter*'),
strings.ilike(sender.display_name, '*Content*'),
strings.ilike(sender.display_name, '*Copyright*'),
strings.ilike(sender.display_name, '*Review*'),
strings.ilike(sender.display_name, '*Legal*'),
strings.ilike(sender.display_name, '*Investigation*'),
strings.ilike(sender.display_name, '*LLP*'),
strings.ilike(sender.display_name, '*Law*'),
strings.ilike(sender.display_name, '*Intellectual*'),
strings.ilike(sender.display_name, '*Notice*'),
strings.ilike(sender.display_name, '*Matter*')
)
)
// common strings in email current thread
and 15 of (
strings.ilike(body.current_thread.text, '*copyright*'),
strings.ilike(body.current_thread.text, '*trademark*'),
strings.ilike(body.current_thread.text, '*inquiry*'),
strings.ilike(body.current_thread.text, '*online*'),
strings.ilike(body.current_thread.text, '*authorized*'),
strings.ilike(body.current_thread.text, '*legal*'),
strings.ilike(body.current_thread.text, '*represent*'),
strings.ilike(body.current_thread.text, '*lawful*'),
strings.ilike(body.current_thread.text, '*owner*'),
strings.ilike(body.current_thread.text, '*materials*'),
strings.ilike(body.current_thread.text, '*protected*'),
strings.ilike(body.current_thread.text, '*infring*'),
strings.ilike(body.current_thread.text, '*immediate*'),
strings.ilike(body.current_thread.text, '*cessation*'),
strings.ilike(body.current_thread.text, '*content*'),
strings.ilike(body.current_thread.text, '*referenced*'),
strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
strings.ilike(body.current_thread.text, '*constitutes*'),
strings.ilike(body.current_thread.text, '*authorization*'),
strings.ilike(body.current_thread.text, '*removal*'),
strings.ilike(body.current_thread.text, '*comply*'),
strings.ilike(body.current_thread.text, '*failure*'),
strings.ilike(body.current_thread.text, '*law firm*'),
strings.ilike(body.current_thread.text, '*LLP*'),
strings.ilike(body.current_thread.text, '*compliance*'),
strings.ilike(body.current_thread.text, '*cease*'),
strings.ilike(body.current_thread.text, '*protect*'),
strings.ilike(body.current_thread.text, '*rights*'),
strings.ilike(body.current_thread.text, '*penalty*'),
strings.ilike(body.current_thread.text, '*perjury*'),
strings.ilike(body.current_thread.text, '*holder*'),
strings.ilike(body.current_thread.text, '*declare*'),
strings.ilike(body.current_thread.text, '*sworn*'),
strings.ilike(body.current_thread.text, '*affidavit*'),
strings.ilike(body.current_thread.text, '*investigation*'),
strings.ilike(body.current_thread.text, '*identified*'),
strings.ilike(body.current_thread.text, '*reproduction*'),
strings.ilike(body.current_thread.text, '*license*'),
strings.ilike(body.current_thread.text, '*granted*'),
strings.ilike(body.current_thread.text, '*permitting*'),
strings.ilike(body.current_thread.text, '*evidence*'),
strings.ilike(body.current_thread.text, '*proceedings*'),
strings.ilike(body.current_thread.text, '*evidentiary*'),
strings.ilike(body.current_thread.text, '*remove*'),
strings.ilike(body.current_thread.text, '*suspend*'),
strings.ilike(body.current_thread.text, '*discontinue*'),
strings.ilike(body.current_thread.text, '*72 hours*'),
strings.ilike(body.current_thread.text, '*48 hours*'),
strings.ilike(body.current_thread.text, '*24 hours*'),
strings.ilike(body.current_thread.text, '*proof*'),
strings.ilike(body.current_thread.text, '*unresolved*'),
strings.ilike(body.current_thread.text, '*accordance*'),
strings.ilike(body.current_thread.text, '*procedures*'),
strings.ilike(body.current_thread.text, '*interests*'),
strings.ilike(body.current_thread.text, '*appeal*'),
strings.ilike(body.current_thread.text, '*clarification*'),
strings.ilike(body.current_thread.text, '*notice*')
)
// remove phrase from legitimate complaint
and not regex.icontains(body.current_thread.text,
'(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
)
// not copyright reports
and not regex.icontains(body.current_thread.text,
'(?:confirmation|received).{0,100}copyright report'
)
// verified dmca receiving/sending address
and not any([recipients.cc, recipients.to, recipients.bcc],
any(.,
.email.email in (
'dmca@vimeo.com',
'dmca@support.epicgames.com',
'takedowns@doppel.com',
'ipenforcement@epicgames.com'
)
)
)
and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Impersonation: Legal firm with copyright infringement notice"
description: "Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.previous_threads) == 0
and length(body.current_thread.text) < 5000
and 0 < length(body.links) < 10
// common strings in subject or base
and (
2 of (
strings.ilike(subject.base, '*Content*'),
strings.ilike(subject.base, '*Compliance*'),
strings.ilike(subject.base, '*Review*'),
strings.ilike(subject.base, '*Legal*'),
strings.ilike(subject.base, '*Formal*'),
strings.ilike(subject.base, '*LLP*'),
strings.ilike(subject.base, '*Unauthorized*'),
strings.ilike(subject.base, '*Trademark*'),
strings.ilike(subject.base, '*Law*'),
strings.ilike(subject.base, '*Enforcement*'),
strings.ilike(subject.base, '*Copyright*'),
strings.ilike(subject.base, '*Violat*'),
strings.ilike(subject.base, '*Intellectual*'),
strings.ilike(subject.base, '*Concerning*'),
strings.ilike(subject.base, '*Notice*'),
strings.ilike(subject.base, '*Clarification*'),
strings.ilike(subject.base, '*Matter*'),
strings.ilike(sender.display_name, '*Content*'),
strings.ilike(sender.display_name, '*Copyright*'),
strings.ilike(sender.display_name, '*Review*'),
strings.ilike(sender.display_name, '*Legal*'),
strings.ilike(sender.display_name, '*Investigation*'),
strings.ilike(sender.display_name, '*LLP*'),
strings.ilike(sender.display_name, '*Law*'),
strings.ilike(sender.display_name, '*Intellectual*'),
strings.ilike(sender.display_name, '*Notice*'),
strings.ilike(sender.display_name, '*Matter*')
)
)
// common strings in email current thread
and 15 of (
strings.ilike(body.current_thread.text, '*copyright*'),
strings.ilike(body.current_thread.text, '*trademark*'),
strings.ilike(body.current_thread.text, '*inquiry*'),
strings.ilike(body.current_thread.text, '*online*'),
strings.ilike(body.current_thread.text, '*authorized*'),
strings.ilike(body.current_thread.text, '*legal*'),
strings.ilike(body.current_thread.text, '*represent*'),
strings.ilike(body.current_thread.text, '*lawful*'),
strings.ilike(body.current_thread.text, '*owner*'),
strings.ilike(body.current_thread.text, '*materials*'),
strings.ilike(body.current_thread.text, '*protected*'),
strings.ilike(body.current_thread.text, '*infring*'),
strings.ilike(body.current_thread.text, '*immediate*'),
strings.ilike(body.current_thread.text, '*cessation*'),
strings.ilike(body.current_thread.text, '*content*'),
strings.ilike(body.current_thread.text, '*referenced*'),
strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
strings.ilike(body.current_thread.text, '*constitutes*'),
strings.ilike(body.current_thread.text, '*authorization*'),
strings.ilike(body.current_thread.text, '*removal*'),
strings.ilike(body.current_thread.text, '*comply*'),
strings.ilike(body.current_thread.text, '*failure*'),
strings.ilike(body.current_thread.text, '*law firm*'),
strings.ilike(body.current_thread.text, '*LLP*'),
strings.ilike(body.current_thread.text, '*compliance*'),
strings.ilike(body.current_thread.text, '*cease*'),
strings.ilike(body.current_thread.text, '*protect*'),
strings.ilike(body.current_thread.text, '*rights*'),
strings.ilike(body.current_thread.text, '*penalty*'),
strings.ilike(body.current_thread.text, '*perjury*'),
strings.ilike(body.current_thread.text, '*holder*'),
strings.ilike(body.current_thread.text, '*declare*'),
strings.ilike(body.current_thread.text, '*sworn*'),
strings.ilike(body.current_thread.text, '*affidavit*'),
strings.ilike(body.current_thread.text, '*investigation*'),
strings.ilike(body.current_thread.text, '*identified*'),
strings.ilike(body.current_thread.text, '*reproduction*'),
strings.ilike(body.current_thread.text, '*license*'),
strings.ilike(body.current_thread.text, '*granted*'),
strings.ilike(body.current_thread.text, '*permitting*'),
strings.ilike(body.current_thread.text, '*evidence*'),
strings.ilike(body.current_thread.text, '*proceedings*'),
strings.ilike(body.current_thread.text, '*evidentiary*'),
strings.ilike(body.current_thread.text, '*remove*'),
strings.ilike(body.current_thread.text, '*suspend*'),
strings.ilike(body.current_thread.text, '*discontinue*'),
strings.ilike(body.current_thread.text, '*72 hours*'),
strings.ilike(body.current_thread.text, '*48 hours*'),
strings.ilike(body.current_thread.text, '*24 hours*'),
strings.ilike(body.current_thread.text, '*proof*'),
strings.ilike(body.current_thread.text, '*unresolved*'),
strings.ilike(body.current_thread.text, '*accordance*'),
strings.ilike(body.current_thread.text, '*procedures*'),
strings.ilike(body.current_thread.text, '*interests*'),
strings.ilike(body.current_thread.text, '*appeal*'),
strings.ilike(body.current_thread.text, '*clarification*'),
strings.ilike(body.current_thread.text, '*notice*')
)
// remove phrase from legitimate complaint
and not regex.icontains(body.current_thread.text,
'(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
)
// not copyright reports
and not regex.icontains(body.current_thread.text,
'(?:confirmation|received).{0,100}copyright report'
)
// verified dmca receiving/sending address
and not any([recipients.cc, recipients.to, recipients.bcc],
any(.,
.email.email in (
'dmca@vimeo.com',
'dmca@support.epicgames.com',
'takedowns@doppel.com',
'ipenforcement@epicgames.com'
)
)
)
and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')
attack_types:
- "BEC/Fraud"
- "Extortion"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "85bf58f6-3891-56ea-ae0a-d88073ade20f"