Medium Severity

Brand impersonation: Toronto-Dominion Bank

Labels

Credential Phishing

Impersonation: Brand

Natural Language Understanding

Optical Character Recognition

Sender analysis

Description

Impersonation of TD Bank or TD Canada Trust using display name spoofing or logo detection, combined with suspicious content related to security authentication or credential theft from unauthorized senders.

References

No references.

Sublime Security

Created Oct 22nd, 2025 • Last updated Oct 22nd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  // display name contains TD Bank
  (
    strings.ilike(strings.replace_confusables(sender.display_name), '*TD Bank*')
    or strings.ilike(strings.replace_confusables(sender.display_name),
                     '*TD Canada Trust*'
    )
    // levenshtein distance similar to TD bank
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'TD Bank'
    ) <= 1
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'TD Canada Trust'
    ) <= 1
    or any(ml.logo_detect(file.message_screenshot()).brands,
           .name == "TD Bank" and .confidence == "high"
    )
  )
)
and (
  (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in (
          "Security and Authentication",
          "Secure Message",
          "Reminders and Notifications"
        )
        and .confidence in ("medium", "high")
    )
    and not any(ml.nlu_classifier(body.current_thread.text).topics,
                .name in ("Newsletters and Digests", "Entertainment and Sports")
                and .confidence in ("medium", "high")
    )
  )
  or (
    beta.ocr(file.message_screenshot()).text != ""
    and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
            .name in (
              "Security and Authentication",
              "Secure Message",
              "Reminders and Notifications"
            )
            and .confidence in ("medium", "high")
    )
    and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
                .name in ("Newsletters and Digests", "Entertainment and Sports")
                and .confidence in ("medium", "high")
    )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from TD domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in (
      "td.com",
      "tdbank.com",
      "tdcanadatrust.com",
      "tdameritrade.com",
      "tdwaterhouse.ca",
      "tdwaterhouse.com",
      "tdassetmanagement.com",
      "tdinsurance.com",
      "tdautofinance.com",
      "tdautofinance.ca",
      "email-td.com",
      "feedback-td.com",
      "interac.ca"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or not headers.auth_summary.dmarc.pass
  or not headers.auth_summary.spf.pass
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.