Sublime Core Feed

Login to Sublime

Low Severity

Brand Impersonation: Exodus

Labels

Credential Phishing

Impersonation: Brand

Social engineering

Header analysis

Natural Language Understanding

Sender analysis

Description

Attack impersonating Exodus Wallet.

References

https://exodus.com

Sublime Security

Created Aug 17th, 2023 • Last updated Apr 25th, 2024

Feed Source

Sublime Core Feed

Source

type.inbound
and (
  strings.ilike(sender.display_name, "*exodus*")
  or (
    strings.ilike(sender.email.domain.root_domain, "*exodus*")
    and network.whois(sender.email.domain).days_old <= 30
  )
)
and sender.email.domain.root_domain not in ("exodus.com", "exodus.io", "exodusescaperoom.com")
and sender.email.email not in $recipient_emails
and (
  any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
  or any(ml.nlu_classifier(body.current_thread.text).entities, .text == "wallet")
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.