sublimemediumRule

Service abuse: Trello board invitation with VIP impersonation

Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1534

initial-access

Detection Query

type.inbound
and sender.email.domain.root_domain == "trello.com"
// inspect the hops for two observed patterns
and any(headers.hops,
        any(.fields,
            // X-Msys-Api with campaign_id
            (
              .name =~ "X-Msys-Api"
              and strings.icontains(.value, 'campaign_id":"invite_board_')
            )
            // X-Atl-Po-Triggerid with trello and invite board
            or (
              .name == "Feedback-Id"
              and strings.icontains(.value, 'trello')
              and regex.icontains(.value, 'invite[_-]board')
            )
        )
)

// inspect the body for two observed patterns
and (
  // org_sld as the start of the board name with the org_vip as the sender
  any(html.xpath(body.html, '//h2').nodes,
      // org vip
      any($org_vips, strings.icontains(..display_text, .display_name))
      // org sld as the board name
      and any($org_slds,
              strings.icontains(..display_text,
                                strings.concat('invited you to their board ', .)
              )
      )
  )
  // pattern of the first name ending in `From` after the org_vip display name
  or any(html.xpath(body.html,
                    '//div[img[@class="trello-member-avatar"]]/parent::div'
         ).nodes,
         strings.starts_with(.display_text, 'A note from ')
         and strings.iends_with(.display_text, 'From')
         and any($org_vips, strings.icontains(..display_text, .display_name))
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Service abuse: Trello board invitation with VIP impersonation"
description: "Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.root_domain == "trello.com"
  // inspect the hops for two observed patterns
  and any(headers.hops,
          any(.fields,
              // X-Msys-Api with campaign_id
              (
                .name =~ "X-Msys-Api"
                and strings.icontains(.value, 'campaign_id":"invite_board_')
              )
              // X-Atl-Po-Triggerid with trello and invite board
              or (
                .name == "Feedback-Id"
                and strings.icontains(.value, 'trello')
                and regex.icontains(.value, 'invite[_-]board')
              )
          )
  )
  
  // inspect the body for two observed patterns
  and (
    // org_sld as the start of the board name with the org_vip as the sender
    any(html.xpath(body.html, '//h2').nodes,
        // org vip
        any($org_vips, strings.icontains(..display_text, .display_name))
        // org sld as the board name
        and any($org_slds,
                strings.icontains(..display_text,
                                  strings.concat('invited you to their board ', .)
                )
        )
    )
    // pattern of the first name ending in `From` after the org_vip display name
    or any(html.xpath(body.html,
                      '//div[img[@class="trello-member-avatar"]]/parent::div'
           ).nodes,
           strings.starts_with(.display_text, 'A note from ')
           and strings.iends_with(.display_text, 'From')
           and any($org_vips, strings.icontains(..display_text, .display_name))
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: VIP"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "HTML analysis"
  - "Sender analysis"
id: "fedfc94b-4a33-57e0-a891-1af92aec6ddb"