Medium Severity
Brand Impersonation: Booking.com
Description
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
References
No references.
Sublime Security
Created Mar 3rd, 2025 • Last updated Jul 9th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(body.links) < 10
and any(beta.ml_topic(body.current_thread.text).topics,
.name in (
"Travel and Transportation",
"Customer Service and Support",
"Security and Authentication"
)
and .confidence != "low"
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == "Booking.com"
or strings.icontains(body.current_thread.text, ' booking.com ')
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
or any(body.links,
strings.ilike(.display_text,
"*review*",
"*response*",
"*complaint*",
"*contact*",
"*accommodation*"
)
or .display_url.domain.root_domain == "booking.com" and .mismatched
or network.whois(.href_url.domain).days_old < 30
or strings.icontains(.href_url.path, "/redir")
)
// two seperate HTML elements impersonating the logo
or (
any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes, .display_text =~ "Booking")
and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes, .display_text =~ ".com")
)
)
and sender.email.domain.root_domain not in~ ('booking.com')
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Playground
Test against your own EMLs or sample data.