heroui logo

Brand impersonation: KnowBe4

Sublime Rules

View Source
Summary
This detection rule is designed to identify email impersonation attempts related to KnowBe4, a recognized cybersecurity awareness training provider. The rule employs several techniques to detect subtle variations in sender display names and domains that could signify malicious attempts to deceive recipients by mimicking the brand. Specifically, it examines the display name of the sender for exact matches with 'KnowBe4' or for near matches (using Levenshtein distance, which allows for one character difference). Additionally, the rule checks if the sender's email domain closely resembles 'knowbe4.com' or includes variations in its structure. It specifically excludes legitimate communications from knowbe4.com unless they fail DMARC authentication, providing a layered defense against brand impersonation. The rule further incorporates a condition that negates high-trust sender domains unless they fail DMARC checks, enhancing security by flagging anomalous communications that would otherwise be trusted. It highlights tactics common in phishing strategies such as the use of lookalike domains and social engineering techniques.
Categories
  • Web
  • Identity Management
  • Endpoint
Data Sources
  • User Account
  • Process
  • Network Traffic
Created: 2024-11-25