Create brand_impersonation_punchbowl.yml

detection-rules/brand_impersonation_punchbowl.yml

@@ -0,0 +1,30 @@
+name: "Brand impersonation: Punchbowl"
+description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // Looking for Punchbowl phrasing in all body threads
+  and (
+    strings.icontains(body.current_thread.text, "punchbowl")
+    or (any(body.previous_threads, strings.icontains(.text, "punchbowl")))
+    // Look for alt text in HTML for standardized Evite formatting if string is not avail.
+    or strings.icontains(body.html.raw, 'alt="Punchbowl"')
+  )
+  // Phrasing is typically "You're invited"
+  and (
+    strings.icontains(body.current_thread.text, "you're invited")
+    or (any(body.previous_threads, strings.icontains(.text, "you're invited")))
+  )
+  // Legitimate sender will be from punchbowl, negating known non-associated domains.
+  and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "58937ba0-6966-559a-bd4f-759ee8b2979e"