← Back to Explore
sublimemediumRule
Brand Impersonation: Gemini Trust Company
Detects messages impersonating Gemini Trust Company through analysis of footer content, social media links, and address verification, excluding legitimate communications from authenticated Gemini domains.
Detection Query
type.inbound
and (
// the address in the footer
(
regex.icontains(body.current_thread.text,
"600 Third Avenue.{1,2}2nd Floor.{1,2}New York, NY"
)
and strings.icontains(body.current_thread.text, "Gemini Trust Company")
)
// logo detect combined with sender display name
// need to be more specific here due to other uses of the word "Gemini"
or (
sender.display_name =~ "Gemini"
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Gemini Trust" and .confidence != "low"
)
)
// copyright footer
or strings.icontains(body.current_thread.text,
'© 2025 Gemini Trust Company, LLC'
)
// the social links in the footer
or (
length(filter(body.links,
strings.icontains(.href_url.url,
'https://www.instagram.com/gemini/'
)
or strings.icontains(.href_url.url,
'https://www.linkedin.com/company/geminitrust/'
)
or strings.icontains(.href_url.url,
'https://facebook.com/GeminiTrust'
)
or strings.icontains(.href_url.url,
'https://twitter.com/Gemini'
)
or strings.icontains(.href_url.url,
'https://support.gemini.com/hc/en-us/requests/new'
)
or strings.icontains(.href_url.url,
'https://support.gemini.com/hc/en-us/requests/new'
)
)
) >= 4
)
)
// not forwards/replies
and not (
length(headers.references) > 0
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
// not from Gemini actual
and not (
sender.email.domain.root_domain in (
"gemini.com",
"niftygateway.com" // NFT market place owned by Gemini Trust Company
)
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand Impersonation: Gemini Trust Company"
description: "Detects messages impersonating Gemini Trust Company through analysis of footer content, social media links, and address verification, excluding legitimate communications from authenticated Gemini domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
// the address in the footer
(
regex.icontains(body.current_thread.text,
"600 Third Avenue.{1,2}2nd Floor.{1,2}New York, NY"
)
and strings.icontains(body.current_thread.text, "Gemini Trust Company")
)
// logo detect combined with sender display name
// need to be more specific here due to other uses of the word "Gemini"
or (
sender.display_name =~ "Gemini"
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Gemini Trust" and .confidence != "low"
)
)
// copyright footer
or strings.icontains(body.current_thread.text,
'© 2025 Gemini Trust Company, LLC'
)
// the social links in the footer
or (
length(filter(body.links,
strings.icontains(.href_url.url,
'https://www.instagram.com/gemini/'
)
or strings.icontains(.href_url.url,
'https://www.linkedin.com/company/geminitrust/'
)
or strings.icontains(.href_url.url,
'https://facebook.com/GeminiTrust'
)
or strings.icontains(.href_url.url,
'https://twitter.com/Gemini'
)
or strings.icontains(.href_url.url,
'https://support.gemini.com/hc/en-us/requests/new'
)
or strings.icontains(.href_url.url,
'https://support.gemini.com/hc/en-us/requests/new'
)
)
) >= 4
)
)
// not forwards/replies
and not (
length(headers.references) > 0
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
// not from Gemini actual
and not (
sender.email.domain.root_domain in (
"gemini.com",
"niftygateway.com" // NFT market place owned by Gemini Trust Company
)
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
- "Sender analysis"
- "Header analysis"
id: "99574c94-5095-5ec3-a63c-100fdd7dd414"