• Sublime Core Feed
Medium Severity

Brand Impersonation: TikTok

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis

Description

Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.

References

No references.

Sublime Security
Created Mar 31st, 2025 • Last updated Jun 25th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  // TikTok Brand Detection 
  (
    // display name contains tiktok
    strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*')
    // levenshtein distance similar to tiktok
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'tiktok'
    ) <= 1
    or any(ml.logo_detect(beta.message_screenshot()).brands,
           .name == "TikTok" and .confidence == "high"
    )
  )
  // OR TikTok verification language
  or (
    strings.icontains(body.current_thread.text, "tiktok")
    and (
      strings.icontains(body.current_thread.text, "verified badge")
      or strings.icontains(body.current_thread.text, "verification criteria")
      or strings.icontains(body.current_thread.text, "activate badge")
      or strings.icontains(body.current_thread.text, "verification complete")
      or strings.icontains(body.current_thread.text, "almost verified")
      or strings.icontains(body.current_thread.text, "review complete")
    )
  )
)
and (
  // ML Topic Analysis and Credential Theft Detection
  any(beta.ml_topic(body.current_thread.text).topics,
      .name in (
        "Security and Authentication",
        "Secure Message",
        "Reminders and Notifications"
      )
      and .confidence in ("medium", "high")
  )
  or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
         .name in (
           "Security and Authentication",
           "Secure Message",
           "Reminders and Notifications"
         )
         and .confidence in ("medium", "high")
         and beta.ocr(beta.message_screenshot()).text != ""
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)
// Not from legitimate TikTok or Google domains with DMARC pass
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in (
      "tiktok.com",
      "tiktokglobalshop.com",
      "bytedance.com"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started