From 58bb136e7e1387f412f1c4aef3e199a9a6f1806b Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Mon, 25 Nov 2024 22:21:32 +0000
Subject: [PATCH] Sync from PR#2168

Create brand_impersonation_bbb.yml by @morriscode
https://github.com/sublime-security/sublime-rules/pull/2168
Source SHA ea91adda6c0e70d4251865c95de26a1de959ded5
Triggered by @morriscode
---
 detection-rules/brand_impersonation_bbb.yml | 45 +++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 detection-rules/brand_impersonation_bbb.yml

diff --git a/detection-rules/brand_impersonation_bbb.yml b/detection-rules/brand_impersonation_bbb.yml
new file mode 100644
index 00000000000..f222ee3c8ac
--- /dev/null
+++ b/detection-rules/brand_impersonation_bbb.yml
@@ -0,0 +1,45 @@
+name: "Brand impersonation: the Better Business Bureau (BBB)"
+description: "Detect impersonation of the Better Business Bureau (BBB)"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // display name contains bbb
+    (
+      regex.icontains(strings.replace_confusables(sender.display_name),
+                      '(?:\bBBB\b|better business bureau)'
+      )
+      // or levenshtein distance similar to the full name
+      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                              'better business bureau'
+      ) <= 1
+    )
+    // and the sender is not in org_domains or from the bbb and passes auth
+    and not (
+      sender.email.domain.root_domain in ("bbb.org")
+      and headers.auth_summary.dmarc.pass
+    )
+  )
+  // and the sender is not from high trust sender root domains
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+  // not solicited
+  and not profile.by_sender().solicited
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+id: "76f54e5f-c937-5693-b8e7-3ced7dac61f9"
+testing_pr: 2168
+testing_sha: ea91adda6c0e70d4251865c95de26a1de959ded5