EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: Binance

Impersonation of the cryptocurrency exchange Binance.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1583.001
initial-access

Detection Query

type.inbound
and (
  strings.ilike(sender.display_name, '*binance*')
  or strings.ilevenshtein(sender.display_name, 'binance') <= 1
  or strings.ilike(sender.email.domain.domain, '*binance*')
  or strings.ilike(subject.subject, '*binance*')
)
and sender.email.domain.root_domain not in~ (
  'binance.com',
  'binance.us',
  'trustwallet.com',
  'binance.charity'
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .text == "Binance"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
)
and (
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
  or any(ml.nlu_classifier(body.current_thread.text).entities,
         .name == "request"
  )
)
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .text in~ ("withdrawal", "deposit")
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
)
and (
  // if this comes from a free email provider,
  // flag if org has never sent an email to sender's email before
  (
    sender.email.domain.root_domain in $free_email_providers
    and sender.email.email not in $recipient_emails
  )
  // if this comes from a custom domain,
  // flag if org has never sent an email to sender's domain before
  or (
    sender.email.domain.root_domain not in $free_email_providers
    and sender.email.domain.domain not in $recipient_domains
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Cryptocurrency
Raw Content
name: "Brand impersonation: Binance"
description: |
  Impersonation of the cryptocurrency exchange Binance.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    strings.ilike(sender.display_name, '*binance*')
    or strings.ilevenshtein(sender.display_name, 'binance') <= 1
    or strings.ilike(sender.email.domain.domain, '*binance*')
    or strings.ilike(subject.subject, '*binance*')
  )
  and sender.email.domain.root_domain not in~ (
    'binance.com',
    'binance.us',
    'trustwallet.com',
    'binance.charity'
  )
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .text == "Binance"
  )
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "financial"
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
    or any(ml.nlu_classifier(body.current_thread.text).entities,
           .name == "request"
    )
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .text in~ ("withdrawal", "deposit")
    )
    or any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
  )
  and (
    // if this comes from a free email provider,
    // flag if org has never sent an email to sender's email before
    (
      sender.email.domain.root_domain in $free_email_providers
      and sender.email.email not in $recipient_emails
    )
    // if this comes from a custom domain,
    // flag if org has never sent an email to sender's domain before
    or (
      sender.email.domain.root_domain not in $free_email_providers
      and sender.email.domain.domain not in $recipient_domains
    )
  )
tags:
  - "Cryptocurrency"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "HTML analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "c3302a76-ff5f-5619-b806-2bfec382f588"