Brand impersonation: Greenvelope

calendar Dec 1, 2025  ·
Share on: linkedin copy

Detects messages impersonating Greenvelope invitations not originating from legitimate Greenvelope domain.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Greenvelope"
 2description: "Detects messages impersonating Greenvelope invitations not originating from legitimate Greenvelope domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Looking for greenvelope phrasing or indicators in HTML
 8  and (
 9    strings.icontains(body.html.inner_text, "Powered by greenvelope")
10  
11    // Look for alt text in HTML for standardized greenvelope formatting if string is not avail.
12    or strings.icontains(body.html.raw, 'alt="Greenvelope"')
13    or strings.icontains(body.html.raw,
14                         'https://www.greenvelope.com/viewer/envelope.ashx'
15    )
16    or strings.icontains(body.current_thread.text, '© 2025 Greenvelope, LLC')
17    or strings.icontains(body.current_thread.text,
18                         '8 The Green #8901, Dover, DE 19901'
19    )
20  )
21  
22  // no links going to greenvlope cards/"admin" links
23  and length(filter(body.links,
24                    .href_url.domain.root_domain == "greenvelope.com"
25                    and (
26                      // card links
27                      strings.istarts_with(.href_url.path, '/card/')
28                      // user links are links for the person that created the card
29                      or strings.istarts_with(.href_url.path, '/user/')
30                    )
31             )
32  ) == 0
33  
34  // Legitimate sender will be from greenvelope, negating known non-associated domains.
35  and not (
36    (
37      sender.email.domain.root_domain in (
38        "greenvelope.com",
39        'greenvelope-email.com'
40      )
41      and headers.auth_summary.spf.pass
42    )
43    or headers.return_path.domain.root_domain in (
44      "greenvelope.com",
45      'greenvelope-email.com'
46    )
47  )
48  
49  // avoid fwd/replies
50  and not (
51    subject.is_forward 
52    or subject.is_reply
53    or length(headers.references) != 0 
54    or headers.in_reply_to is not null
55    or length(body.previous_threads) > 0
56  )
57  
58  // Capping length to limit FP's
59  and length(body.current_thread.text) < 1500  
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Impersonation: Brand"
64  - "Social engineering"
65detection_methods:
66  - "Content analysis"
67  - "Sender analysis"
68id: "9cbbf9b8-a44a-5d86-8caa-3aef898841c1"
to-top