Medium Severity
Brand Impersonation: Booking.com
Description
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
References
No references.
Sublime Security
Created Mar 3rd, 2025 • Last updated May 29th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(body.links) < 10
and any(beta.ml_topic(body.current_thread.text).topics,
.name in ("Travel and Transportation", "Customer Service and Support")
and .confidence == "high"
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == "Booking.com"
or strings.icontains(body.current_thread.text, ' booking.com ')
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
or any(body.links,
strings.ilike(.display_text,
"*review*",
"*complaint*",
"*contact*",
"*accommodation*"
)
or .display_url.domain.root_domain == "booking.com" and .mismatched
or network.whois(.href_url.domain).days_old < 30
)
)
and sender.email.domain.root_domain not in~ ('booking.com')
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Playground
Test against your own EMLs or sample data.