[PR #3490] added rule: Brand impersonation: Carta

github-actions[bot] · github-actions[bot] · commit e358b786d733 · 2025-11-06T23:53:39.000Z
diff --git a/detection-rules/3490_brand_impersonation_carta.yml b/detection-rules/3490_brand_impersonation_carta.yml
@@ -0,0 +1,88 @@
+name: "Brand impersonation: Carta"
+description: "Detects messages impersonating Carta, a cap table management platform, by analyzing sender display names, subject lines containing equity-related terms, and body content for Carta-specific language. Excludes legitimate Carta domains with valid DMARC authentication and benign newsletters."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    strings.ilike(strings.replace_confusables(sender.display_name), "Carta")
+    or strings.ilike(sender.display_name, "*via Carta*")
+    // or  any(ml.logo_detect(file.message_screenshot()).brands,
+    //           .name == "Carta"
+    // )
+    or (
+      (
+        any([subject.subject, sender.display_name],
+            strings.ilike(.,
+                          "*Investor Relations*",
+                          "*Capital Contribution*",
+                          "*Option Grant*"
+            )
+        )
+        or (
+          regex.icontains(subject.subject,
+                          'newly (created|vested|issued|provided).*(option|grant|equit(y|ies))'
+          )
+        )
+      )
+      and (
+        strings.icontains(body.current_thread.text, "carta")
+        // terms present in Carta email footers
+        or strings.icontains(body.current_thread.text, "Equity Education Center")
+        or strings.icontains(body.current_thread.text, "Visit our Knowledge Base")
+        or strings.icontains(body.current_thread.text, "eShares")
+        or any(file.explode(file.message_screenshot()),
+               strings.icontains(.scan.ocr.raw, "carta")
+               // terms present in Carta email footers
+               or strings.icontains(.scan.ocr.raw, "Equity Education Center")
+               or strings.icontains(.scan.ocr.raw, "Visit our Knowledge Base")
+               or strings.icontains(.scan.ocr.raw, "eShares")
+        )
+      )
+    )
+  )
+  and not (
+    (
+      sender.email.domain.root_domain in~ (
+        "carta.com",
+        "connectedcommunity.org" // Carta Community Forum
+      )
+      and headers.auth_summary.dmarc.pass
+    )
+    // negate benign newsletters
+    or (
+      any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name == "Newsletters and Digests" and .confidence == "high"
+      )
+      and any(ml.nlu_classifier(body.current_thread.text).intents,
+              .name == "benign"
+      )
+    )
+    // negate spanish language messages
+    or ml.nlu_classifier(body.current_thread.text).language in~ ("spanish")
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Header analysis"
+  - "Sender analysis"
+  - "Optical Character Recognition"
+id: "42223709-8832-56d5-87ea-149d3bf5f7b9"
+og_id: "a19f890b-2155-50f3-92f8-af0730f9f6ee"
+testing_pr: 3490
+testing_sha: 002d972bc18ba842ce1d4b0ffcc4fa597724a727
