High Severity

Brand impersonation: Coinbase

Labels

Credential Phishing

Impersonation: Brand

Description

Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials or related information.

References

https://blog.coinbase.com/phishing-attacks-and-how-to-not-fall-victim-42b489d77199

Sublime Security

Created Aug 17th, 2023 • Last updated Nov 4th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  strings.ilike(strings.replace_confusables(sender.display_name), '*coinbase*')
  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                          'coinbase'
  ) <= 1
  or strings.ilike(sender.email.domain.domain, '*coinbase*')
)
and not (
  sender.email.domain.root_domain in (
    'coinbase.com',
    'q4inc.com',
    'sendsafely.com' // used by Coinbase for verification codes
  )
  and headers.auth_summary.dmarc.pass
)
and (
  // if this comes from a free email provider,
  // flag if org has never sent an email to sender's email before
  (
    sender.email.domain.root_domain in $free_email_providers
    and sender.email.email not in $recipient_emails
  )
  // if this comes from a custom domain,
  // flag if org has never sent an email to sender's domain before
  or (
    sender.email.domain.root_domain not in $free_email_providers
    and sender.email.domain.domain not in $recipient_domains
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.