[PR #3023] changed rule: Brand impersonation: Twitter

github-actions[bot] · github-actions[bot] · commit 2c3c5b1ccce8 · 2025-07-30T19:46:19.000Z
diff --git a/detection-rules/3023_impersonation_twitter.yml b/detection-rules/3023_impersonation_twitter.yml
@@ -0,0 +1,79 @@
+name: "Brand impersonation: Twitter"
+description: |
+  Impersonation of Twitter.
+references:
+  - "https://www.techrepublic.com/article/phishing-attack-spoofs-twitter-to-steal-account-credentials/"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // Twitter logic
+    (
+      sender.display_name =~ "twitter"
+      or strings.ilevenshtein(sender.display_name, 'twitter') <= 1
+      or strings.ilike(sender.email.domain.domain, '*twitter*')
+    )
+    // "X" logic
+    or (
+      (
+        2 of (
+          regex.icontains(sender.display_name, '\bX\b'),
+          strings.iends_with(sender.email.domain.root_domain, "-x.com"),
+          strings.ilike(body.current_thread.text,
+                        "*content dispute*",
+                        "*copyright*",
+                        "*appeal*"
+          ),
+          strings.contains(body.current_thread.text, '1355 Market Street')
+        )
+        or (
+          any(ml.logo_detect(beta.message_screenshot()).brands,
+              .name == "X" and .confidence == "high"
+          )
+          and (
+            any(ml.nlu_classifier(body.current_thread.text).intents,
+                .name == "cred_theft" and .confidence == "high"
+            )
+            or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
+                   .name == "cred_theft" and .confidence == "high"
+            )
+          )
+        )
+      )
+      and any(beta.ml_topic(body.current_thread.text).topics,
+              .name in (
+                "Reminders and Notifications",
+                "Security and Authentication",
+                "Legal and Compliance",
+                "Customer Service and Support"
+              )
+      )
+    )
+  )
+  and sender.email.domain.domain not in~ (
+    'twitter.com',
+    'privaterelay.appleid.com',
+    'stripe.com',
+    'x.com',
+    'twitter.discoursemail.com',
+    'slack.com'
+  )
+  // negate Hearsay Systems which sends notifications from sender domain ending in twitter.com
+  and not (
+    strings.ends_with(sender.email.domain.domain, '.hearsay.twitter.com')
+    and strings.ends_with(headers.message_id, '@hearsaysystems.com>')
+  )
+  and sender.email.email not in $recipient_emails
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Lookalike domain"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+id: "2d4a1e87-3f31-5f5f-8700-7c2bbed30a40"
+og_id: "013c32c2-fa05-5456-9c45-284e008ff6a4"
+testing_pr: 3023
+testing_sha: 958a80aa7b4adaf4dff5d38a2ca9a49bbd6d891a
