Brand impersonation: Paperless Post

 1name: "Brand impersonation: Paperless Post"
 2description: "Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.contains(body.html.raw, 'ppassets.com')
 8  and length(filter(html.xpath(body.html, '//img/@src').nodes,
 9                    // calling parse_url allows url decoding to help us
10                    strings.parse_url(.raw).domain.root_domain == 'ppassets.com'
11             )
12  ) >= 2
13  and (
14    length(filter(body.links,
15                  .href_url.domain.domain == "links.paperlesspost.com"
16                  or (
17                    .href_url.domain.root_domain == "paperlesspost.com"
18                    and strings.istarts_with(.href_url.path, '/go/')
19                  )
20           )
21    ) < 2
22    or any(body.links,
23           regex.icontains(.display_text, '(?:view the card|view and reply)')
24           and .href_url.domain.root_domain != "paperlesspost.com"
25    )
26  )
27  and not (
28    (subject.is_forward or subject.is_reply)
29    and (
30      (length(headers.references) != 0 or headers.in_reply_to is not null)
31      or length(body.previous_threads) > 0
32    )
33  )
34  and not (
35    sender.email.domain.root_domain == "paperlesspost.com"
36    and headers.auth_summary.dmarc.pass
37  )  
38
39attack_types:
40  - "Credential Phishing"
41  - "Malware/Ransomware"
42tactics_and_techniques:
43  - "Impersonation: Brand"
44detection_methods:
45  - "Content analysis"
46  - "Header analysis"
47  - "HTML analysis"
48  - "Sender analysis"
49  - "URL analysis"
50id: "e9ec5e09-e50f-5d02-ad14-35a1a1442960"