• Sublime Core Feed
Medium Severity

Brand Impersonation: Coinbase with suspicious links

Labels

Credential Phishing
Evasion
Free subdomain host
Image as content
Impersonation: Brand
Computer Vision
Content analysis
File analysis
URL analysis

Description

Detects messages impersonating Coinbase with low reputation or url shortened links.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Nov 18th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.root_domain != "coinbase.com"

// more than 0 less than 5 links
and 0 < length(body.links) < 5

// none of the links are to coinbase.com
and all(body.links, .href_url.domain.root_domain != "coinbase.com")

// low rep or url shortened links found
and any(body.links,
        .href_url.domain.domain in $url_shorteners

        // exempting legitimate Google Maps shortener
        and (
          not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
          or (
            .href_url.domain.domain not in $tranco_1m
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $url_shorteners
            or 

            // mass mailer link, masks the actual URL
            .href_url.domain.root_domain in (
              "hubspotlinks.com",
              "mandrillapp.com",
              "sendgrid.net",
            )
          )
        )
)
// Coinbase logo
and (
  any(attachments,
      .file_type in $file_types_images
      and any(ml.logo_detect(.).brands, .name == "Coinbase")
  )
  or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Coinbase")
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started