EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: Coinbase with suspicious links

Detects messages impersonating Coinbase with low reputation or url shortened links.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027T1598.003
defense-evasioninitial-access

Detection Query

type.inbound
and sender.email.domain.root_domain != "coinbase.com"

// more than 0 less than 5 links
and 0 < length(body.links) < 5

// none of the links are to coinbase.com
and all(body.links, .href_url.domain.root_domain != "coinbase.com")

// low rep or url shortened links found
and any(body.links,
        .href_url.domain.domain in $url_shorteners
        or .href_url.domain.domain in $social_landing_hosts

        // exempting legitimate Google Maps shortener
        and (
          not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
          or (
            .href_url.domain.domain not in $tranco_1m
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $url_shorteners
            or .href_url.domain.domain in $social_landing_hosts
            or 

            // mass mailer link, masks the actual URL
            .href_url.domain.root_domain in (
              "hubspotlinks.com",
              "mandrillapp.com",
              "sendgrid.net",
            )
          )
        )
)
// Coinbase logo
and (
  any(attachments,
      .file_type in $file_types_images
      and any(ml.logo_detect(.).brands, .name == "Coinbase")
  )
  or any(ml.logo_detect(file.message_screenshot()).brands, .name == "Coinbase")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Coinbase with suspicious links"
description: |
  Detects messages impersonating Coinbase with low reputation or url shortened links.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.root_domain != "coinbase.com"
  
  // more than 0 less than 5 links
  and 0 < length(body.links) < 5
  
  // none of the links are to coinbase.com
  and all(body.links, .href_url.domain.root_domain != "coinbase.com")
  
  // low rep or url shortened links found
  and any(body.links,
          .href_url.domain.domain in $url_shorteners
          or .href_url.domain.domain in $social_landing_hosts
  
          // exempting legitimate Google Maps shortener
          and (
            not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
            or (
              .href_url.domain.domain not in $tranco_1m
              or .href_url.domain.domain in $free_file_hosts
              or .href_url.domain.root_domain in $free_file_hosts
              or .href_url.domain.root_domain in $free_subdomain_hosts
              or .href_url.domain.domain in $url_shorteners
              or .href_url.domain.domain in $social_landing_hosts
              or 
  
              // mass mailer link, masks the actual URL
              .href_url.domain.root_domain in (
                "hubspotlinks.com",
                "mandrillapp.com",
                "sendgrid.net",
              )
            )
          )
  )
  // Coinbase logo
  and (
    any(attachments,
        .file_type in $file_types_images
        and any(ml.logo_detect(.).brands, .name == "Coinbase")
    )
    or any(ml.logo_detect(file.message_screenshot()).brands, .name == "Coinbase")
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Free subdomain host"
  - "Image as content"
  - "Impersonation: Brand"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "File analysis"
  - "URL analysis"
id: "b61e2f8e-ab8e-5212-ab20-c294babfc6d9"