← Back to Explore
sublimemediumRule
Brand Impersonation: Disney
Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.
Detection Query
type.inbound
and (
// display name contains Disney
(
(
strings.ilike(strings.replace_confusables(sender.display_name),
'*disney*'
)
and not strings.ilike(strings.replace_confusables(sender.display_name),
'*disney springs*'
)
)
// levenshtein distance similar to Disney
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'disney'
) <= 1
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Disney" and .confidence == "high"
)
)
)
and (
(
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications"
)
and .confidence in ("medium", "high")
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Newsletters and Digests", "Entertainment and Sports")
and .confidence in ("medium", "high")
)
)
or (
any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications"
)
and (
.confidence in ("medium", "high")
and beta.ocr(file.message_screenshot()).text != ""
)
)
and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in ("Newsletters and Digests", "Entertainment and Sports")
and .confidence in ("medium", "high")
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
// and the sender is not in org_domains or from Disney domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
// from https://github.com/v2fly/domain-list-community/blob/master/data/disney
sender.email.domain.root_domain in (
"disney.asia",
"disney.be",
"disney.bg",
"disney.ca",
"disney.ch",
"disney.co.il",
"disney.co.jp",
"disney.co.kr",
"disney.co.th",
"disney.co.uk",
"disney.co.za",
"disney.com",
"disney.com.au",
"disney.com.br",
"disney.com.hk",
"disney.com.tw",
"disney.cz",
"disney.de",
"disney.dk",
"disney.es",
"disney.fi",
"disney.fr",
"disney.gr",
"disney.hu",
"disney.id",
"disney.in",
"disney.io",
"disney.it",
"disney.my",
"disney.nl",
"disney.no",
"disney.ph",
"disney.pl",
"disney.pt",
"disney.ro",
"disney.ru",
"disney.se",
"disney.sg",
"disneysurveys.com",
"disneyonline.com",
"disneyaccount.com",
"disneyadvertising.com",
"disneydestinations.com",
"hulu.com",
"hulumail.com",
"canarytechnologies.com", // domain used by a disney resort - hotel mgmt software company
"disneyvacationclub.com",
"twdc.com",
"disneyrewards.com",
"disneystore.com",
"disneyworld.com"
)
and headers.auth_summary.dmarc.pass
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or not headers.auth_summary.dmarc.pass
or not headers.auth_summary.spf.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand Impersonation: Disney"
description: "Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
// display name contains Disney
(
(
strings.ilike(strings.replace_confusables(sender.display_name),
'*disney*'
)
and not strings.ilike(strings.replace_confusables(sender.display_name),
'*disney springs*'
)
)
// levenshtein distance similar to Disney
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'disney'
) <= 1
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Disney" and .confidence == "high"
)
)
)
and (
(
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications"
)
and .confidence in ("medium", "high")
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Newsletters and Digests", "Entertainment and Sports")
and .confidence in ("medium", "high")
)
)
or (
any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications"
)
and (
.confidence in ("medium", "high")
and beta.ocr(file.message_screenshot()).text != ""
)
)
and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in ("Newsletters and Digests", "Entertainment and Sports")
and .confidence in ("medium", "high")
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
// and the sender is not in org_domains or from Disney domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
// from https://github.com/v2fly/domain-list-community/blob/master/data/disney
sender.email.domain.root_domain in (
"disney.asia",
"disney.be",
"disney.bg",
"disney.ca",
"disney.ch",
"disney.co.il",
"disney.co.jp",
"disney.co.kr",
"disney.co.th",
"disney.co.uk",
"disney.co.za",
"disney.com",
"disney.com.au",
"disney.com.br",
"disney.com.hk",
"disney.com.tw",
"disney.cz",
"disney.de",
"disney.dk",
"disney.es",
"disney.fi",
"disney.fr",
"disney.gr",
"disney.hu",
"disney.id",
"disney.in",
"disney.io",
"disney.it",
"disney.my",
"disney.nl",
"disney.no",
"disney.ph",
"disney.pl",
"disney.pt",
"disney.ro",
"disney.ru",
"disney.se",
"disney.sg",
"disneysurveys.com",
"disneyonline.com",
"disneyaccount.com",
"disneyadvertising.com",
"disneydestinations.com",
"hulu.com",
"hulumail.com",
"canarytechnologies.com", // domain used by a disney resort - hotel mgmt software company
"disneyvacationclub.com",
"twdc.com",
"disneyrewards.com",
"disneystore.com",
"disneyworld.com"
)
and headers.auth_summary.dmarc.pass
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or not headers.auth_summary.dmarc.pass
or not headers.auth_summary.spf.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Natural Language Understanding"
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "bf90b8fb-3f6e-5831-9b3c-1d05b2a4a863"