heroui logo

Brand impersonation: Coinbase

Sublime Rules

View Source
Summary
This detection rule targets impersonation attacks specifically aimed at the cryptocurrency exchange Coinbase. It identifies potentially malicious emails designed to harvest user credentials by analyzing several aspects of the incoming emails. The rule checks if the sender's display name or email domain has a strong resemblance to 'coinbase', using techniques such as substring matching and a Levenshtein distance check. It is set to flag emails where the sender's domain is not from the legitimate Coinbase or related domains (like 'coinbase.com', 'q4inc.com'). Furthermore, it employs heuristics based on the sender's email domain status. If an email originates from a free email provider and the organization has never communicated with that sender before, or if it comes from a custom domain that hasn't been previously verified as a trusted source, those emails are flagged. Additionally, the rule includes checks against domains traditionally recognized as high trust, ensuring that only messages failing DMARC (Domain-based Message Authentication, Reporting & Conformance) are considered safe from trusted sources. This layered approach helps to efficiently identify and mitigate phishing attempts targeting Coinbase credentials and protect users from social engineering attacks.
Categories
  • Web
  • Identity Management
  • Cloud
  • Endpoint
Data Sources
  • User Account
  • Network Traffic
  • Application Log
Created: 2021-02-19