← Back to Explore
sublimemediumRule
Brand impersonation: Booking.com
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
Detection Query
type.inbound
and length(body.links) < 10
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Travel and Transportation",
"Customer Service and Support",
"Security and Authentication"
)
and .confidence != "low"
)
// handle instances in which ml_topic does not hit
or (
length(body.links) == 0
and length(attachments) == 0
and length(body.current_thread.text) < 1000
and strings.icontains(sender.display_name, "booking.com")
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == "Booking.com"
)
or strings.icontains(body.current_thread.text, ' booking.com ')
or strings.icontains(sender.display_name, "booking.com")
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
or any(body.links,
strings.ilike(.display_text,
"*review*",
"*response*",
"*respond*",
"*complaint*",
"*contact*",
"*accommodation*",
"*view*details*"
)
or .display_url.domain.root_domain == "booking.com" and .mismatched
or .href_url.domain.root_domain == 'share.google'
or network.whois(.href_url.domain).days_old < 30
or strings.icontains(.href_url.path, "/redir")
)
// check for text strings that betray intent
or regex.icontains(body.current_thread.text, '(?:book\sa|open)\srooms', )
or strings.ilike(body.current_thread.text, "* availab*", )
// two seperate HTML elements impersonating the logo
or (
any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
.display_text =~ "Booking"
)
and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
.display_text =~ ".com"
)
)
)
and not (
sender.email.domain.root_domain in~ (
'booking.com',
'siteminder.com',
'thinkreservations.com'
)
and headers.auth_summary.dmarc.pass
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate microsoft quarantine messages
and not (
sender.email.email == "quarantine@messaging.microsoft.com"
and (
headers.auth_summary.dmarc.pass
// no sender auth but MS AuthAs is Internal
or (
not coalesce(headers.auth_summary.dmarc.pass, false)
and any(headers.hops,
.index == 0
and any(.fields,
.name == "X-MS-Exchange-CrossTenant-AuthAs"
and .value == "Internal"
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Booking.com"
description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.links) < 10
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Travel and Transportation",
"Customer Service and Support",
"Security and Authentication"
)
and .confidence != "low"
)
// handle instances in which ml_topic does not hit
or (
length(body.links) == 0
and length(attachments) == 0
and length(body.current_thread.text) < 1000
and strings.icontains(sender.display_name, "booking.com")
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == "Booking.com"
)
or strings.icontains(body.current_thread.text, ' booking.com ')
or strings.icontains(sender.display_name, "booking.com")
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
or any(body.links,
strings.ilike(.display_text,
"*review*",
"*response*",
"*respond*",
"*complaint*",
"*contact*",
"*accommodation*",
"*view*details*"
)
or .display_url.domain.root_domain == "booking.com" and .mismatched
or .href_url.domain.root_domain == 'share.google'
or network.whois(.href_url.domain).days_old < 30
or strings.icontains(.href_url.path, "/redir")
)
// check for text strings that betray intent
or regex.icontains(body.current_thread.text, '(?:book\sa|open)\srooms', )
or strings.ilike(body.current_thread.text, "* availab*", )
// two seperate HTML elements impersonating the logo
or (
any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
.display_text =~ "Booking"
)
and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
.display_text =~ ".com"
)
)
)
and not (
sender.email.domain.root_domain in~ (
'booking.com',
'siteminder.com',
'thinkreservations.com'
)
and headers.auth_summary.dmarc.pass
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate microsoft quarantine messages
and not (
sender.email.email == "quarantine@messaging.microsoft.com"
and (
headers.auth_summary.dmarc.pass
// no sender auth but MS AuthAs is Internal
or (
not coalesce(headers.auth_summary.dmarc.pass, false)
and any(headers.hops,
.index == 0
and any(.fields,
.name == "X-MS-Exchange-CrossTenant-AuthAs"
and .value == "Internal"
)
)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "Header analysis"
- "Sender analysis"
id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"