{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/brand-abuse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["brand-abuse","email","phishing","impersonation"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying potential brand abuse by monitoring email communications. The analytic leverages email header data, specifically the sender\u0026rsquo;s address (src_user), and compares it against a lookup table of known domain permutations. These permutations are generated by the \u0026ldquo;ESCU - DNSTwist Domain Names\u0026rdquo; search. This technique is significant because attackers often use slightly altered domain names to impersonate legitimate organizations in phishing campaigns. By identifying these lookalike domains, organizations can proactively detect and mitigate potential brand abuse and social engineering attacks. If attackers are successful, this can lead to unauthorized access, data theft, and reputational damage. The detection logic is implemented within Splunk and requires the Email data model to be populated. The brandMonitoring_lookup table must be configured with monitored domains for effective detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker registers a domain name that is a permutation of the legitimate brand\u0026rsquo;s domain (e.g., using DNSTwist or similar tools).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a phishing email that appears to originate from the spoofed domain.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the phishing email to potential victims, often targeting employees or customers of the legitimate brand.\u003c/li\u003e\n\u003cli\u003eThe recipient opens the email and may be prompted to click on a link or download an attachment.\u003c/li\u003e\n\u003cli\u003eIf the recipient clicks on a link, they may be redirected to a malicious website designed to steal credentials or install malware.\u003c/li\u003e\n\u003cli\u003eIf the recipient downloads an attachment, it may contain malware that infects their system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the victim\u0026rsquo;s system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker may then steal sensitive data, install ransomware, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful brand abuse can lead to significant financial and reputational damage. Customers may lose trust in the brand, and the organization may incur costs associated with incident response, data breach notification, and legal fees. The impact depends on the scale of the phishing campaign and the sensitivity of the data compromised. This can affect any organization, but is especially harmful to those in regulated industries or those that rely heavily on customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that email header data is ingested and the \u003ccode\u003eAll_Email.src_user\u003c/code\u003e field is populated as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eImplement and regularly update the \u0026ldquo;ESCU - DNSTwist Domain Names\u0026rdquo; search to generate domain permutations for the \u003ccode\u003ebrandMonitoring_lookup\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eDeploy the provided analytic in Splunk Enterprise Security to identify potential brand abuse attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate and respond to any alerts generated by the analytic, prioritizing those with high confidence scores.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003emonitor_email_for_brand_abuse_filter\u003c/code\u003e macro to reduce false positives based on your specific environment and known email traffic patterns.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to enhance visibility into potential malware execution following a successful phishing attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:47:21Z","date_published":"2026-05-28T17:47:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-monitor-email-brand-abuse/","summary":"This analytic identifies emails claiming to originate from domains similar to those being monitored for abuse by cross-referencing sender addresses with a lookup table of domain permutations, indicating potential phishing or brand impersonation.","title":"Monitor Email for Brand Abuse via Domain Permutations","url":"https://feed.craftedsignal.io/briefs/2026-05-monitor-email-brand-abuse/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["brand-abuse","phishing","network"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic identifies web requests to domains that closely resemble a monitored brand\u0026rsquo;s domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the \u0026ldquo;ESCU - DNSTwist Domain Names\u0026rdquo; search. The goal is to detect phishing attempts or other malicious activities targeting your brand. Successful attacks could deceive users, steal credentials, or distribute malware, leading to reputational and financial damage. This technique is crucial for defenders to identify and mitigate potential brand impersonation attacks before they result in significant harm.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker registers a domain name that is a close permutation of the target brand\u0026rsquo;s domain (e.g., using DNSTwist or similar tools).\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a web server on the newly registered domain, mimicking the target brand\u0026rsquo;s website.\u003c/li\u003e\n\u003cli\u003eThe attacker sends phishing emails or distributes malicious links that direct users to the fake website.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users click on the links and are redirected to the malicious domain.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s web browser makes a request to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server logs the request, capturing the user\u0026rsquo;s IP address and other identifying information.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to steal credentials, distribute malware, or conduct other malicious activities.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to the user\u0026rsquo;s account or device, leading to potential data breaches or financial losses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful brand abuse can lead to significant reputational and financial damage. Attackers can deceive users into divulging sensitive information, such as usernames, passwords, and credit card details. Malware distribution can result in system compromise, data loss, and ransomware infections. The number of victims depends on the scale and effectiveness of the phishing campaign. Targeted sectors can vary widely depending on the brand being impersonated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest web traffic data from web proxies or network traffic analysis tools into Splunk as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eRun the \u0026ldquo;ESCU - DNSTwist Domain Names\u0026rdquo; search regularly to generate domain permutations as a baseline, as indicated in the analytic description.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Web Traffic To DNSTwist Domains\u003c/code\u003e to detect web requests to domains that closely resemble your monitored brand\u0026rsquo;s domain.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified instances of potential brand abuse, prioritizing alerts based on the \u003ccode\u003efinding\u003c/code\u003e section\u0026rsquo;s score.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:44:29Z","date_published":"2026-05-28T17:44:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-brand-abuse/","summary":"This analytic identifies web requests to domains that closely resemble a monitored brand's domain, indicating potential brand abuse indicative of phishing or malware distribution attempts.","title":"Monitor Web Traffic For Brand Abuse","url":"https://feed.craftedsignal.io/briefs/2026-05-brand-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Brand-Abuse","version":"https://jsonfeed.org/version/1.1"}