High Severity
Brand impersonation: Wise
Description
Impersonating Wise Financial, an online banking platform.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Feb 20th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
regex.icontains(sender.display_name, '\bwise\b')
or strings.ilike(sender.email.domain.domain, '*wise*')
)
and (
any(ml.nlu_classifier(body.current_thread.text).tags,
.name in ("payment", "invoice")
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "steal_pii") and .confidence == "high"
)
)
and (
any(attachments,
.file_type in $file_extensions_common_archives
or .file_type in $file_extensions_executables
or .file_type in $file_extensions_macros
or .file_type in ("lz")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
or any(body.links,
regex.icontains(.display_text,
// https://github.com/sublime-security/static-files/blob/master/suspicious_subjects_regex.txt
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.been",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"document.received",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"undelivered message",
"unread.*doc",
"unusual.activity",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
// https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
"account has been limited",
"action required",
"almost full",
"apd notifi cation",
"are you at your desk",
"are you available",
"attached file to docusign",
"banking is temporarily unavailable",
"bankofamerica",
"closing statement invoice",
"completed: docusign",
"de-activation of",
"delivery attempt",
"delivery stopped for shipment",
"detected suspicious",
"detected suspicious actvity",
"docu sign",
"document for you",
"document has been sent to you via docusign",
"document is ready for signature",
"docusign",
"encrypted message",
"failed delivery",
"fedex tracking",
"file was shared",
"freefax",
"fwd: due invoice paid",
"has shared",
"inbox is full",
"invitation to comment",
"invitation to edit",
"invoice due",
"left you a message",
"message from",
"new message",
"new voicemail",
"on desk",
"out of space",
"password reset",
"payment status",
"quick reply",
"re: w-2",
"required",
"required: completed docusign",
"ringcentral",
"scanned image",
"secured files",
"secured pdf",
"security alert",
"new sign-in",
"new sign in",
"sign-in attempt",
"sign in attempt",
"staff review",
"suspicious activity",
"unrecognized login attempt",
"upgrade immediately",
"urgent",
"wants to share",
"w2",
"you have notifications pending",
"your account",
"your amazon order",
"your document settlement",
"your order with amazon",
"your password has been compromised",
)
)
)
and sender.email.domain.root_domain not in~ (
'wise.com',
'wise.jobs',
'splitwise.com',
'connectwise.com'
)
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.