Brand Impersonation: Shein

calendar Oct 15, 2025  ·
Share on: linkedin copy

Detects suspicious Shein-branded communications using display name impersonation, logo detection, and deceptive content analysis. Includes checks for security/authentication topics, secure messages, notifications, and promotional content like fake surveys or giveaways. Excludes legitimate Shein domains with proper authentication and known trusted senders.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: Shein"
  2description: "Detects suspicious Shein-branded communications using display name impersonation, logo detection, and deceptive content analysis. Includes checks for security/authentication topics, secure messages, notifications, and promotional content like fake surveys or giveaways. Excludes legitimate Shein domains with proper authentication and known trusted senders."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    // display name contains Shein
  9    (
 10      (
 11        regex.icontains(strings.replace_confusables(sender.display_name),
 12                        '\bsh[ie]{2}n\b'
 13        )
 14        and not strings.icontains(sender.display_name, "sheen")
 15      )
 16      or (
 17        length(ml.logo_detect(file.message_screenshot()).brands) == 1
 18        and all(ml.logo_detect(file.message_screenshot()).brands,
 19                .name == "Shein" and .confidence == "high"
 20        )
 21      )
 22    )
 23  )
 24  and (
 25    (
 26      length(ml.nlu_classifier(body.current_thread.text).topics) > 0
 27      and all(ml.nlu_classifier(body.current_thread.text).topics,
 28              .name in (
 29                "Security and Authentication",
 30                "Secure Message",
 31                "Reminders and Notifications",
 32                "Advertising and Promotions" // fake surveys/giveaways have been observed
 33              )
 34              and .confidence in ("medium", "high")
 35      )
 36    )
 37    or (
 38      length(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics) > 0
 39      and all(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
 40              .name in (
 41                "Security and Authentication",
 42                "Secure Message",
 43                "Reminders and Notifications",
 44                "Advertising and Promotions" // fake surveys/giveaways have been observed
 45              )
 46              and .confidence in ("medium", "high")
 47              and beta.ocr(file.message_screenshot()).text != ""
 48      )
 49    )
 50    or any(ml.nlu_classifier(body.current_thread.text).intents,
 51           .name == "cred_theft" and .confidence == "high"
 52    )
 53    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 54           .name == "cred_theft" and .confidence == "high"
 55    )
 56  )
 57  
 58  // and the sender is not in org_domains or from Shein domains and passes auth
 59  and not (
 60    sender.email.domain.root_domain in $org_domains
 61    or (
 62      length(attachments) == 1
 63      // this is Shein's return label generator
 64      and all(attachments,
 65              .file_type == "pdf"
 66              and strings.icontains(beta.parse_exif(.).creator, "MondialRelay")
 67      )
 68    )
 69    or (
 70      sender.email.domain.root_domain in (
 71        "shein.com",
 72        "shein.com.mx",
 73        "sheinemail.com",
 74        "shein.co.uk",
 75        "sheingroup.com",
 76        "sheinnotice.com",
 77        "cash.app",
 78        "capitaloneshopping.com"
 79      )
 80      and (
 81        headers.auth_summary.dmarc.pass
 82        // for when DMARC fails, but it's still a legit Shein newsletter
 83        or (
 84          length(body.links) > 10
 85          and ratio(body.links,
 86                    .href_url.domain.root_domain in (
 87                      "shein.com",
 88                      "sheinemail.com",
 89                      "shein.co.uk",
 90                      "sheingroup.com",
 91                      "sheinnotice.com",
 92                      "cash.app",
 93                      "capitaloneshopping.com"
 94                    )
 95          ) > 0.6
 96        )
 97      )
 98    )
 99    // parse out original sender domain from Apple Private Relay info
100    or (
101      sender.email.domain.domain in ("privaterelay.appleid.com", "icloud.com")
102      and strings.ilike(sender.email.local_part,
103                        '*shein_com*',
104                        '*sheinemail_com*'
105      )
106    )
107  )
108  // and the sender is not from high trust sender root domains
109  and (
110    (
111      sender.email.domain.root_domain in $high_trust_sender_root_domains
112      and not headers.auth_summary.dmarc.pass
113    )
114    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
115  )
116  and (
117    not profile.by_sender().solicited
118    or not headers.auth_summary.dmarc.pass
119    or not headers.auth_summary.spf.pass
120  )  
121
122attack_types:
123  - "Credential Phishing"
124  - "Spam"
125tactics_and_techniques:
126  - "Impersonation: Brand"
127  - "Social engineering"
128detection_methods:
129  - "Computer Vision"
130  - "Content analysis"
131  - "Header analysis"
132  - "Natural Language Understanding"
133  - "Optical Character Recognition"
134  - "Sender analysis"
135id: "b5843f22-9b49-56a0-a6db-259920a0c7fa"
to-top