← Back to Explore
sublimelowRule
Brand impersonation: Netflix
Impersonation of Netflix.
Detection Query
type.inbound
and (
// obfuscated sender display name
(
sender.display_name is not null
and (
regex.icontains(strings.replace_confusables(sender.display_name),
'[nm]etf[li][il]x'
)
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'netflix'
) <= 1
or regex.icontains(strings.replace_confusables(sender.display_name),
'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}'
)
)
)
// obfuscated sender email domain
or regex.icontains(strings.replace_confusables(sender.email.domain.domain),
'[nm]etf[li][il]x'
)
// logo detection on message screenshot (no link analysis)
or (
any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Netflix" and .confidence in ("medium", "high")
)
and (
// non NLU based keywords on the screenshot
regex.icontains(beta.ocr(file.message_screenshot()).text,
'suspen(?:ded|sion)'
)
or
// combo of NLU cred_theft + financial + Customer Service and Support
(
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Customer Service and Support"
)
)
)
)
// Address Detection
or 2 of (
strings.icontains(body.current_thread.text, 'Netflix, Inc'),
strings.icontains(body.current_thread.text, '100 Winchester Circle'),
strings.icontains(body.current_thread.text, 'Los Gatos, CA 95032')
)
// unusual recipient pattern + logo detect + credphish dispoistion
or (
(
length(recipients.to) == 0
or (
all(recipients.to, .email.domain.valid == false)
and all(recipients.cc, .email.domain.valid == false)
)
)
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Netflix" and .confidence in ("medium", "high")
)
and (
any(body.links,
ml.link_analysis(.).credphish.disposition == "phishing"
and ml.link_analysis(.).credphish.confidence in ("medium", "high")
)
)
)
)
// negation of legit domains
and not (
sender.email.domain.root_domain in (
'netflix.com',
'dvd.com',
'netflixfamily.com',
'netflixpreviewclub.com',
'netflixanimation.com',
'envoy.com',
'lexisnexis.com',
'netflix.shop',
'netflixcontractors.com', // owned by netflix
'netflixevents.com', // owned by netflix
'netelixir.com', // unrelated marketing
'netflixhouse.com', // owned by netflix
'instagram.com',
'netflix.net',
'netflixshopsupport.com', // owned by netflix
'netflixpartner.com', // owned by netflix
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not (
sender.email.domain.domain in (
'netflix.zendesk.com' // netflix actual support
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not profile.by_sender_email().solicited
Author
min0k
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Netflix"
description: |
Impersonation of Netflix.
references:
- "https://news.trendmicro.com/2023/01/18/netflix-scams-2023-job-text-email/"
type: "rule"
severity: "low"
authors:
- name: "min0k"
source: |
type.inbound
and (
// obfuscated sender display name
(
sender.display_name is not null
and (
regex.icontains(strings.replace_confusables(sender.display_name),
'[nm]etf[li][il]x'
)
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'netflix'
) <= 1
or regex.icontains(strings.replace_confusables(sender.display_name),
'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}'
)
)
)
// obfuscated sender email domain
or regex.icontains(strings.replace_confusables(sender.email.domain.domain),
'[nm]etf[li][il]x'
)
// logo detection on message screenshot (no link analysis)
or (
any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Netflix" and .confidence in ("medium", "high")
)
and (
// non NLU based keywords on the screenshot
regex.icontains(beta.ocr(file.message_screenshot()).text,
'suspen(?:ded|sion)'
)
or
// combo of NLU cred_theft + financial + Customer Service and Support
(
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Customer Service and Support"
)
)
)
)
// Address Detection
or 2 of (
strings.icontains(body.current_thread.text, 'Netflix, Inc'),
strings.icontains(body.current_thread.text, '100 Winchester Circle'),
strings.icontains(body.current_thread.text, 'Los Gatos, CA 95032')
)
// unusual recipient pattern + logo detect + credphish dispoistion
or (
(
length(recipients.to) == 0
or (
all(recipients.to, .email.domain.valid == false)
and all(recipients.cc, .email.domain.valid == false)
)
)
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Netflix" and .confidence in ("medium", "high")
)
and (
any(body.links,
ml.link_analysis(.).credphish.disposition == "phishing"
and ml.link_analysis(.).credphish.confidence in ("medium", "high")
)
)
)
)
// negation of legit domains
and not (
sender.email.domain.root_domain in (
'netflix.com',
'dvd.com',
'netflixfamily.com',
'netflixpreviewclub.com',
'netflixanimation.com',
'envoy.com',
'lexisnexis.com',
'netflix.shop',
'netflixcontractors.com', // owned by netflix
'netflixevents.com', // owned by netflix
'netelixir.com', // unrelated marketing
'netflixhouse.com', // owned by netflix
'instagram.com',
'netflix.net',
'netflixshopsupport.com', // owned by netflix
'netflixpartner.com', // owned by netflix
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not (
sender.email.domain.domain in (
'netflix.zendesk.com' // netflix actual support
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not profile.by_sender_email().solicited
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"