Brand impersonation: Trust Wallet

name: "Brand impersonation: Trust Wallet"
description: "Detects inbound messages containing links where the sender impersonates Trust Wallet through display name manipulation and suspicious language, while not being from legitimate Trust Wallet domains. The rule checks for credential theft patterns and validates sender authentication."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(body.links) > 0
  and (
    regex.icontains(strings.replace_confusables(sender.display_name),
                    '\btrust wa[li1]{2}et\b'
    )
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'trust wallet'
    ) <= 2
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("cred_theft", "callback_scam", "steal_pii", "extortion")
        and .confidence in ("high")
    )
  )
  and sender.email.domain.root_domain not in~ ('trustwallet.com')
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and not profile.by_sender().any_messages_benign

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Natural Language Understanding"
  - "Sender analysis"
  - "Header analysis"
id: "e456974c-a62d-590a-b0d7-f659c9f60c8c"