Medium Severity

Brand impersonation: Twitter

Labels

Credential Phishing

Impersonation: Brand

Lookalike domain

Social engineering

Sender analysis

Description

Impersonation of Twitter.

References

https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 15th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  // Twitter logic
  (
    sender.display_name =~ "twitter"
    or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
    or strings.ilike(sender.email.domain.domain, '*twitter*')
  )
  // "X" logic
  or (
    any(ml.logo_detect(beta.message_screenshot()).brands,
        .name == "X" and .confidence == "high"
    )
    and (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft" and .confidence == "high"
      )
      or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
          .name == "cred_theft" and .confidence == "high"
      )
    )
    and any(beta.ml_topic(body.current_thread.text).topics,
            .name in (
              "Reminders and Notifications",
              "Security and Authentication",
              "Legal and Compliance",
              "Customer Service and Support"
            )
    )
  )
)
and sender.email.domain.domain not in~ (
  'twitter.com',
  'privaterelay.appleid.com',
  'stripe.com',
  'x.com',
  'twitter.discoursemail.com'
)
// negate Hearsay Systems which sends notifications from sender domain ending in twitter.com
and not (
  strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
  and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
)
and sender.email.email not in $recipient_emails

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.