heroui logo

Brand Impersonation: Exodus

Sublime Rules

View Source
Summary
This rule detects potential brand impersonation attacks targeting the Exodus Wallet by analyzing incoming emails. The primary indicators of compromise include checking if the sender's display name or email domain includes 'exodus', and further scrutinizing cases where the sender's email domain is newly registered (less than 30 days old) yet does not belong to the official Exodus domains (`exodus.com`, `exodus.io`, `exodusescaperoom.com`). To enhance the detection of phishing attempts, it also checks that the sender's email is not part of a recipient list and employs Natural Language Understanding (NLU) techniques to identify non-benign intents or mentions of related keywords such as 'wallet' in the email content. By combining these factors, the rule aims to minimize false positives while effectively identifying potential phishing attempts utilizing the Exodus brand. With a low severity rating, it indicates that while the threat is notable, it may not be of immediate critical concern.
Categories
  • Web
  • Endpoint
  • Identity Management
Data Sources
  • User Account
  • Network Traffic
  • Application Log
Created: 2022-01-21