From 806a5f77aee69dd53bd7a62d776ad97bbdf04df1 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Mon, 25 Nov 2024 22:51:09 +0000
Subject: [PATCH] Scheduled cleanup

Removed 2144
---
 detection-rules/impersonation_schwab.yml | 67 ------------------------
 1 file changed, 67 deletions(-)
 delete mode 100644 detection-rules/impersonation_schwab.yml

diff --git a/detection-rules/impersonation_schwab.yml b/detection-rules/impersonation_schwab.yml
deleted file mode 100644
index 014516abb52..00000000000
--- a/detection-rules/impersonation_schwab.yml
+++ /dev/null
@@ -1,67 +0,0 @@
-name: "Brand impersonation: Charles Schwab"
-description: "Impersonation of Charles Schwab & Co"
-type: "rule"
-severity: "medium"
-source: |
-  type.inbound
-  and (
-    // display name contains charles schwab
-    (
-      strings.ilike(strings.replace_confusables(sender.display_name),
-                    '*charles schwab*'
-      )
-      // no spaces
-      or strings.ilike(strings.replace_confusables(sender.display_name),
-                       '*charlesschwab*'
-      )
-      // levenshtein distince similar to schwab
-      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
-                              'charles schwab'
-      ) <= 1
-      // sender domain contains schwab
-      or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
-                       '*schwab*'
-      )
-    )
-  )
-
-  // and the sender is not in org_domains or from charles shwab domains and passes auth
-  and not (
-    sender.email.domain.root_domain in $org_domains
-    or (
-      (
-        sender.email.domain.root_domain in (
-          "schwab.com",
-          "aboutschwab.com.",
-          "schwabmoneywise.com",
-          "schwabe.com", // law firm with name
-          "proxyvote.com", // sends shareholder voting information with subject of company name
-          "boheme-schwabing.de", // steakhouse
-          "lesschwab.com", // tire sales
-       )
-        or sender.email.domain.domain in ("schwabebooks.ccsend.com")
-      )
-      and headers.auth_summary.dmarc.pass
-    )
-  )
-  // and the sender is not from high trust sender root domains
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and not headers.auth_summary.dmarc.pass
-    )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
-  and not profile.by_sender().solicited
-attack_types:
-  - "Credential Phishing"
-tactics_and_techniques:
-  - "Impersonation: Brand"
-  - "Lookalike domain"
-  - "Social engineering"
-detection_methods:
-  - "Header analysis"
-  - "Sender analysis"
-id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
-testing_pr: 2144
-testing_sha: 95b2c74fea4a1f80239cc68b5ca346887d645755