1+ name : " Brand impersonation: TikTok"
2+ description : " Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders."
3+ type : " rule"
4+ severity : " medium"
5+ source : |
6+ type.inbound
7+ and (
8+ // TikTok Brand Detection
9+ (
10+ // display name contains tiktok
11+ strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*')
12+ // levenshtein distance similar to tiktok
13+ or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14+ 'tiktok'
15+ ) <= 1
16+ or (
17+ length(ml.logo_detect(file.message_screenshot()).brands) == 1
18+ and any(ml.logo_detect(file.message_screenshot()).brands,
19+ .name == "TikTok" and .confidence == "high"
20+ )
21+ )
22+ // hyphenated sender domain contains tiktok
23+ or strings.iends_with(sender.email.domain.root_domain, "-tiktok.com")
24+ )
25+ // OR TikTok verification language
26+ or (
27+ strings.icontains(body.current_thread.text, "tiktok")
28+ and (
29+ strings.icontains(body.current_thread.text, "verified badge")
30+ or strings.icontains(body.current_thread.text, "verification criteria")
31+ or strings.icontains(body.current_thread.text, "activate badge")
32+ or strings.icontains(body.current_thread.text, "verification complete")
33+ or strings.icontains(body.current_thread.text, "almost verified")
34+ or strings.icontains(body.current_thread.text, "review complete")
35+ or strings.icontains(body.current_thread.text, "verify profile")
36+ )
37+ )
38+ )
39+ and (
40+ // ML Topic Analysis and Credential Theft Detection
41+ any(beta.ml_topic(body.current_thread.text).topics,
42+ .name in (
43+ "Security and Authentication",
44+ "Secure Message",
45+ "Reminders and Notifications"
46+ )
47+ and .confidence in ("medium", "high")
48+ )
49+ or any(beta.ml_topic(beta.ocr(file.message_screenshot()).text).topics,
50+ .name in (
51+ "Security and Authentication",
52+ "Secure Message",
53+ "Reminders and Notifications"
54+ )
55+ and .confidence in ("medium", "high")
56+ and beta.ocr(file.message_screenshot()).text != ""
57+ )
58+ or any(ml.nlu_classifier(body.current_thread.text).intents,
59+ .name == "cred_theft" and .confidence == "high"
60+ )
61+ or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
62+ .name == "cred_theft" and .confidence == "high"
63+ )
64+ )
65+ // Not from legitimate TikTok or Google domains with DMARC pass
66+ and not (
67+ sender.email.domain.root_domain in $org_domains
68+ or (
69+ sender.email.domain.root_domain in (
70+ "tiktok.com",
71+ "tiktokglobalshop.com",
72+ "bytedance.com",
73+ "tiktokacademy.com",
74+ "webassessor.com" // used for this https://ads.tiktok.com/business/en-US/academy/tiktok-certification
75+ )
76+ and headers.auth_summary.dmarc.pass
77+ )
78+ )
79+ // negate iCloud Private Message Relay
80+ and not (
81+ sender.email.domain.root_domain == "privaterelay.appleid.com"
82+ or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
83+ )
84+ // negate highly trusted sender domains unless they fail DMARC authentication
85+ and (
86+ (
87+ sender.email.domain.root_domain in $high_trust_sender_root_domains
88+ and not headers.auth_summary.dmarc.pass
89+ )
90+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
91+ )
92+ and not profile.by_sender().solicited
93+
94+ attack_types :
95+ - " Credential Phishing"
96+ tactics_and_techniques :
97+ - " Impersonation: Brand"
98+ - " Social engineering"
99+ detection_methods :
100+ - " Computer Vision"
101+ - " Content analysis"
102+ - " Header analysis"
103+ - " Natural Language Understanding"
104+ - " Optical Character Recognition"
105+ - " Sender analysis"
106+ id : " 566894ca-f0cb-5e3c-86c7-c4bba1e3a455"
107+ og_id : " aaacc8b7-fbbd-596d-9268-d90b92bdfcd7"
108+ testing_pr : 3437
109+ testing_sha : 23525e7e904ca64e0b44bec657d4933fdd2f9e3a
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments