Brand Impersonation: AliExpress
Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: AliExpress"
2description: "Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // the address in the footer
9 strings.icontains(body.current_thread.text,
10 '26/F Tower One, Times Square, 1 Matheson Street, Causeway Bay'
11 )
12 // the social links in the footer
13 or (
14 length(filter(body.links,
15 strings.icontains(.href_url.url,
16 'https://www.facebook.com/aliexpressbr'
17 )
18 or strings.icontains(.href_url.url,
19 'https://twitter.com/aliexpressbr'
20 )
21 or strings.icontains(.href_url.url,
22 'https://www.youtube.com/user/AliExpressChannel'
23 )
24 or strings.icontains(.href_url.url,
25 'https://www.instagram.com/aliexpressbr'
26 )
27 // whatsapp
28 or strings.icontains(.href_url.url,
29 'https://wa.me/8657186563839'
30 )
31 // messenger
32 or strings.icontains(.href_url.url, 'https://m.me/AliExpress')
33 )
34 ) >= 4
35 )
36 )
37 // not from AliExpress or Alibaba
38 and not (
39 sender.email.domain.root_domain in ("aliexpress.com", "alibaba.com")
40 and headers.auth_summary.dmarc.pass
41 )
42 // did not traverse the parent org's mail server
43 and not (any(headers.domains, .root_domain in ('aliyun-inc.com')))
44
45attack_types:
46 - "Callback Phishing"
47 - "Credential Phishing"
48tactics_and_techniques:
49 - "Impersonation: Brand"
50 - "Social engineering"
51detection_methods:
52 - "Content analysis"
53 - "Header analysis"
54 - "URL analysis"
55id: "b14703d8-5655-5a09-8a21-ef349ab435ea"