[PR #3458] added rule: Brand impersonation: Booking.com

github-actions[bot] · github-actions[bot] · commit 99fdf43f7170 · 2025-10-31T23:54:41.000Z
diff --git a/detection-rules/3458_brand_impersonation_booking_com.yml b/detection-rules/3458_brand_impersonation_booking_com.yml
@@ -0,0 +1,105 @@
+name: "Brand impersonation: Booking.com"
+description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 10
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).topics,
+        .name in (
+          "Travel and Transportation",
+          "Customer Service and Support",
+          "Security and Authentication"
+        )
+        and .confidence != "low"
+    )
+    // handle instances in which ml_topic does not hit
+    or (
+      length(body.links) == 0
+      and length(attachments) == 0
+      and length(body.current_thread.text) < 1000
+      and strings.icontains(sender.display_name, "booking.com")
+    )
+  )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).entities,
+        .name == "org" and .text == "Booking.com"
+    )
+    or strings.icontains(body.current_thread.text, ' booking.com ')
+    or strings.icontains(sender.display_name, "booking.com")
+  )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft"
+    )
+    or any(body.links,
+           strings.ilike(.display_text,
+                         "*review*",
+                         "*response*",
+                         "*respond*",
+                         "*complaint*",
+                         "*contact*",
+                         "*accommodation*"
+           )
+           or .display_url.domain.root_domain == "booking.com" and .mismatched
+           or network.whois(.href_url.domain).days_old < 30
+           or strings.icontains(.href_url.path, "/redir")
+    )
+    // check for text strings that betray intent
+    or regex.icontains(body.current_thread.text, '(?:book\sa|open)\srooms', )
+    or strings.ilike(body.current_thread.text, "* availab*", )
+    // two seperate HTML elements impersonating the logo
+    or (
+      any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
+          .display_text =~ "Booking"
+      )
+      and any(html.xpath(body.html, '//*[text()[normalize-space()]]').nodes,
+              .display_text =~ ".com"
+      )
+    )
+  )
+  and not (
+    sender.email.domain.root_domain in~ ('booking.com', 'siteminder.com')
+    and headers.auth_summary.dmarc.pass
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+  
+  // negate microsoft quarantine messages
+  and not (
+    sender.email.email == "quarantine@messaging.microsoft.com"
+    and (
+      headers.auth_summary.dmarc.pass
+      // no sender auth but MS AuthAs is Internal
+      or (
+        not coalesce(headers.auth_summary.dmarc.pass, false)
+        and any(headers.hops,
+                .index == 0
+                and any(.fields,
+                        .name == "X-MS-Exchange-CrossTenant-AuthAs"
+                        and .value == "Internal"
+                )
+        )
+      )
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Natural Language Understanding"
+  - "Header analysis"
+  - "Sender analysis"
+id: "15cec561-2dbf-5a51-96d3-a98734640c3d"
+og_id: "d1d8882f-f7e2-522e-85e9-b33b1ab5c979"
+testing_pr: 3458
+testing_sha: 5929b020fcbb198354ab84f5c0038bc76f18832a
