← Back to Explore
sublimemediumRule
Brand impersonation: Evite
Detects messages impersonating Evite invitations by looking for invitation language while not originating from legitimate Evite domains.
Detection Query
type.inbound
and strings.contains(body.html.raw, 'evitecdn.com')
and length(filter(html.xpath(body.html, '//img/@src').nodes,
// calling parse_url allows url decoding to help us
strings.parse_url(.raw).domain.root_domain == 'evitecdn.com'
)
) >= 2
and length(filter(body.links,
.href_url.domain.root_domain == "evite.com"
and regex.contains(.href_url.path, '^/_ct/[a-f0-9]{40}/')
)
) < 3
and not (
(subject.is_forward or subject.is_reply)
and (length(headers.references) != 0 or headers.in_reply_to is not null)
and length(body.previous_threads) > 0
)
and not (
sender.email.domain.root_domain == "evite.com"
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Evite"
description: "Detects messages impersonating Evite invitations by looking for invitation language while not originating from legitimate Evite domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.contains(body.html.raw, 'evitecdn.com')
and length(filter(html.xpath(body.html, '//img/@src').nodes,
// calling parse_url allows url decoding to help us
strings.parse_url(.raw).domain.root_domain == 'evitecdn.com'
)
) >= 2
and length(filter(body.links,
.href_url.domain.root_domain == "evite.com"
and regex.contains(.href_url.path, '^/_ct/[a-f0-9]{40}/')
)
) < 3
and not (
(subject.is_forward or subject.is_reply)
and (length(headers.references) != 0 or headers.in_reply_to is not null)
and length(body.previous_threads) > 0
)
and not (
sender.email.domain.root_domain == "evite.com"
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
id: "9e867a2b-0175-5d8a-b22f-29bfb3ba6a60"