Brand impersonation: Paperless Post

 1name: "Brand impersonation: Paperless Post"
 2description: "Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.contains(body.html.raw, 'ppassets.com')
 8  and length(filter(html.xpath(body.html, '//img/@src').nodes,
 9                    // calling parse_url allows url decoding to help us
10                    strings.parse_url(.raw).domain.root_domain == 'ppassets.com'
11             )
12  ) >= 2
13  and length(filter(body.links,
14                    .href_url.domain.domain == "links.paperlesspost.com"
15                    or (
16                      .href_url.domain.root_domain == "paperlesspost.com"
17                      and strings.istarts_with(.href_url.path, '/go/')
18                    )
19             )
20  ) < 2
21  and not (
22    (subject.is_forward or subject.is_reply)
23    and (
24      (length(headers.references) != 0 or headers.in_reply_to is not null)
25      or length(body.previous_threads) > 0
26    )
27  )
28  and not (
29    sender.email.domain.root_domain == "paperlesspost.com"
30    and headers.auth_summary.dmarc.pass
31  )  
32attack_types:
33  - "Credential Phishing"
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Impersonation: Brand"
37detection_methods:
38  - "Content analysis"
39  - "Header analysis"
40  - "HTML analysis"
41  - "Sender analysis"
42  - "URL analysis"
43id: "e9ec5e09-e50f-5d02-ad14-35a1a1442960"