heroui logo

Brand impersonation: Binance

Sublime Rules

View Source
Summary
This detection rule focuses on identifying potential phishing attempts that impersonate the cryptocurrency exchange Binance. It employs a multi-faceted approach that examines various attributes of email messages to flag suspicious behavior. The rule checks the display name, email domain, and subject line for indications of the term 'Binance' through case-insensitive string matching and near-match detection (Levenshtein distance). Importantly, it ensures that the sender's domain is not from reputable Binance-owned domains such as 'binance.com' or 'trustwallet.com', which could indicate legitimate correspondence. The rule enhances detection accuracy by leveraging Natural Language Understanding (NLU) classifiers to analyze the body of the email. It looks for specific entities such as 'Binance' within the text, categorizing them as 'financial', and assesses the urgency or nature of the request presented in the email, especially terms suggesting financial transactions like 'withdrawal' or 'deposit'. Moreover, the rule assesses if the email originates from free email services or custom domains, checking against historical email patterns to confirm if there was prior communication with the sender. The severity of this rule is medium, indicating a discernible risk that should be monitored closely but does not require immediate escalation.
Categories
  • Web
  • Identity Management
  • Cloud
Data Sources
  • User Account
  • Network Traffic
  • Application Log
  • Process
  • Web Credential
Created: 2023-05-24