← Back to Explore
sublimemediumRule
Brand impersonation: Silicon Valley Bank
Detects emails that impersonate Silicon Valley Bank
Detection Query
type.inbound
and (
regex.icontains(sender.email.domain.domain,
"(silicon(e)?.{0,10}(valley|bank)|svb)"
)
or strings.ilevenshtein(sender.display_name, 'svb') <= 1
)
and network.whois(sender.email.domain).days_old <= 30
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Silicon Valley Bank"
description: "Detects emails that impersonate Silicon Valley Bank"
type: "rule"
severity: "medium"
source: |
type.inbound
and (
regex.icontains(sender.email.domain.domain,
"(silicon(e)?.{0,10}(valley|bank)|svb)"
)
or strings.ilevenshtein(sender.display_name, 'svb') <= 1
)
and network.whois(sender.email.domain).days_old <= 30
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Whois"
id: "a01f61d9-a01a-548c-9a48-49f8d3732d05"