Skip to content

Update impersonation_netflix.yml #3711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zoomequipd wants to merge 2 commits into
base: main
Choose a base branch
from
+41 −16
Open

Update impersonation_netflix.yml #3711

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7ccf040
Update impersonation_netflix.yml
zoomequipd Dec 23, 2025
ad0275d
better group logic and header null cases
zoomequipd Dec 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 41 additions & 16 deletions detection-rules/impersonation_netflix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,27 @@ authors:
source: |
type.inbound
and (
regex.icontains(strings.replace_confusables(sender.display_name), '[nm]etf[li][il]x')
or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'netflix') <= 1
or regex.icontains(strings.replace_confusables(sender.email.domain.domain), '[nm]etf[li][il]x')
or regex.icontains(strings.replace_confusables(sender.display_name), 'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}')
// obfuscated sender display name
(
sender.display_name is not null
and (
regex.icontains(strings.replace_confusables(sender.display_name),
'[nm]etf[li][il]x'
)
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'netflix'
) <= 1
or regex.icontains(strings.replace_confusables(sender.display_name),
'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}'
)
)
)
// obfuscated sender email
or regex.icontains(strings.replace_confusables(sender.email.domain.domain),
'[nm]etf[li][il]x'
)

// unusual recipient pattern + logo detect + credphish dispoistion
or (
(
length(recipients.to) == 0
Expand All @@ -23,17 +40,26 @@ source: |
)
)
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Netflix"
and .confidence in ("medium", "high")
and (
any(body.links,
ml.link_analysis(.).credphish.disposition == "phishing"
and ml.link_analysis(.).credphish.confidence in (
"medium",
"high"
)
)
)
.name == "Netflix" and .confidence in ("medium", "high")
)
and (
any(body.links,
ml.link_analysis(.).credphish.disposition == "phishing"
and ml.link_analysis(.).credphish.confidence in ("medium", "high")
)
)
)
// logo detect + nlu (no link analysis)
or (
any(ml.logo_detect(file.message_screenshot()).brands, .name == "Netflix")
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Customer Service and Support"
)
)
)
Expand All @@ -57,7 +83,6 @@ source: |
'netflix.zendesk.com' // netflix actual support
)
and sender.email.email not in $recipient_emails

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
Loading