• Sublime Core Feed
Medium Severity

Brand impersonation: Hulu

Labels

Credential Phishing
Spam
Free email provider
Impersonation: Brand
Lookalike domain
Social engineering
Computer Vision
Header analysis
Sender analysis

Description

Impersonation of Hulu.

References

No references.

Sublime Security
Created Oct 10th, 2024 • Last updated Feb 4th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  regex.icontains(sender.display_name, '\bhulu\b')
  or (
    strings.ilevenshtein(sender.display_name, 'hulu') <= 1
    and not (
      // lulu.com is a self publisher
      sender.display_name =~ "lulu"
      and sender.email.domain.root_domain == "lulu.com"
    )
    and not (
      // hudu.com is an IT documentation management platform
      sender.display_name =~ "hudu"
      and sender.email.domain.root_domain == "hudu.com"
    )
  )
  or strings.ilike(sender.email.domain.domain, '*hulu*')
  or (
    (
      length(recipients.to) == 0
      or (
        all(recipients.to, .email.domain.valid == false)
        and all(recipients.cc, .email.domain.valid == false)
      )
    )
    and any(ml.logo_detect(beta.message_screenshot()).brands,
            .name == "Hulu" and .confidence in ("medium", "high")
    )
  )
)
and (
  sender.email.domain.root_domain not in ('hulu.com', 'hulumail.com', 'hulu.jp', 'hulu-japan.jp')
  or (
    sender.email.domain.root_domain in ('hulu.com', 'hulumail.com', 'hulu.jp', 'hulu-japan.jp')
    and not headers.auth_summary.dmarc.pass
  )
)
and not profile.by_sender().solicited
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started