Low Severity
Brand impersonation: Norton
Description
Scans files to detect Norton (Lifelock|360|Security) impersonation.
References
- https://techaeris.com/2021/10/23/psa-watch-out-for-norton-lifelock-phishing-emails/
- https://playground.sublimesecurity.com?id=31310ef5-8725-49b8-9c33-6b18ecdb5ba0
- https://playground.sublimesecurity.com?id=a67bc61c-28f0-4904-a046-4584e706697d
- https://playground.sublimesecurity.com?id=3f5809c9-43cf-4f0c-a709-6f9e3912dbb4
Sublime Security
Created Aug 17th, 2023 • Last updated Oct 8th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.domain.domain != "norton.com"
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
(
strings.ilike(.file_name, "*norton*")
and not (
any(recipients.to, strings.iends_with(.display_name, "Norton"))
)
)
or any(file.explode(.),
regex.icontains(.scan.ocr.raw,
".*norton.?60.*",
".*lifelock.*",
".*norton.?security.*",
".*norton.?anti.?virus.*",
".*Norton.{2,3}subscription.*"
)
)
)
)
and (
(
// if freemail, flag if it's a first-time sender
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
// if custom domain, we want to avoid flagging
// on the real Norton invoices
// so we flag if it's not a first-time sender
// and if it's not in the tranco 1M w/ a reply-to mismatch
// for example we've observed:
// Sender: Norton <quickbooks@notification.intuit.com>
// Reply-to: foo@outlook.com
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
and (
sender.email.domain.root_domain not in $tranco_1m
or any(headers.reply_to,
.email.domain.domain != sender.email.domain.domain
)
)
)
or (
(
length(recipients.to) == 0
or all(recipients.to, .display_name == "Undisclosed recipients")
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
)
)
Playground
Test against your own EMLs or sample data.