EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand impersonation: Chase Bank

Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1583.001
initial-access

Detection Query

type.inbound
and (
  strings.ilike(sender.display_name,
                '*chase sapphire*',
                '*chase card services*',
                '*united mileageplus*',
                "echase*"
  )
  or strings.ilevenshtein(sender.display_name, 'chase sapphire') <= 2
  or strings.ilevenshtein(sender.display_name, 'chase card services') <= 2
  or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
  or (
    (
      strings.ilevenshtein(sender.display_name, 'echase') <= 1
      or (
        strings.icontains(sender.display_name, "bank")
        and strings.icontains(subject.base, "chase bank")
      )
    )
    // Negate Chase sender display name if cred theft, callback phishing, and a Chase logo isn't detected
    and not (
      strings.icontains(sender.display_name, 'chase')
      and not (
        any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "cred_theft" and .confidence in ("medium", "high")
        )
        or any(ml.nlu_classifier(body.current_thread.text).intents,
               .name == "callback_scam" and .confidence in ("medium", "high")
        )
        or any(ml.logo_detect(file.message_screenshot()).brands,
               strings.starts_with(.name, "Chase")
        )
      )
    )
  )
  or regex.icontains(body.current_thread.text,
                     '(Chase|J\.?\s?P\.?\sMorgan)\s(Privacy|Treasury)\sOperations|(Privacy|Treasury)\sOperations\s(Chase|J\.?\s?P\.?\sMorgan)'
  )
)
and not (
  sender.display_name is not null and sender.display_name in~ ("chaser", "case")
)
and sender.email.domain.root_domain not in~ (
  'chase.com',
  'united.com',
  'transunion.com',
  'shopping-chase.com',
  'chasetravel.com',
  'chaseoffers.com'
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Raw Content
name: "Brand impersonation: Chase Bank"
description: |
  Impersonation of Chase Bank and related services to harvest credentials or related information 
  such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license 
  numbers, selfies, and ID card photos.
references:
  - "https://cyware.com/news/new-phishing-scam-impersonating-chase-bank-asks-for-sensitive-data-including-selfies-53065228"
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    strings.ilike(sender.display_name,
                  '*chase sapphire*',
                  '*chase card services*',
                  '*united mileageplus*',
                  "echase*"
    )
    or strings.ilevenshtein(sender.display_name, 'chase sapphire') <= 2
    or strings.ilevenshtein(sender.display_name, 'chase card services') <= 2
    or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
    or (
      (
        strings.ilevenshtein(sender.display_name, 'echase') <= 1
        or (
          strings.icontains(sender.display_name, "bank")
          and strings.icontains(subject.base, "chase bank")
        )
      )
      // Negate Chase sender display name if cred theft, callback phishing, and a Chase logo isn't detected
      and not (
        strings.icontains(sender.display_name, 'chase')
        and not (
          any(ml.nlu_classifier(body.current_thread.text).intents,
              .name == "cred_theft" and .confidence in ("medium", "high")
          )
          or any(ml.nlu_classifier(body.current_thread.text).intents,
                 .name == "callback_scam" and .confidence in ("medium", "high")
          )
          or any(ml.logo_detect(file.message_screenshot()).brands,
                 strings.starts_with(.name, "Chase")
          )
        )
      )
    )
    or regex.icontains(body.current_thread.text,
                       '(Chase|J\.?\s?P\.?\sMorgan)\s(Privacy|Treasury)\sOperations|(Privacy|Treasury)\sOperations\s(Chase|J\.?\s?P\.?\sMorgan)'
    )
  )
  and not (
    sender.display_name is not null and sender.display_name in~ ("chaser", "case")
  )
  and sender.email.domain.root_domain not in~ (
    'chase.com',
    'united.com',
    'transunion.com',
    'shopping-chase.com',
    'chasetravel.com',
    'chaseoffers.com'
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "c680f1e7-01b9-5b95-897b-65957f4a57aa"