Brand impersonation: DHL
Impersonation of the shipping provider DHL.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DHL"
2description: |
3 Impersonation of the shipping provider DHL.
4references:
5 - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
6 - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
7type: "rule"
8severity: "low"
9source: |
10 type.inbound
11 and (
12 regex.icontains(sender.display_name, '\bDHL\b')
13 or strings.ilike(sender.email.domain.domain, '*DHL*')
14 or strings.ilike(subject.subject, '*DHL notification*')
15 or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
16 )
17 and (
18 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
19 or any(ml.nlu_classifier(body.current_thread.text).entities,
20 .name == "org" and .text =~ "DHL"
21 )
22 or any(ml.logo_detect(beta.message_screenshot()).brands,
23 .name == "DHL" and .confidence in ("medium", "high")
24 )
25 or regex.icontains(body.current_thread.text, '\bDHL\b')
26 or (
27 any(file.explode(beta.message_screenshot()),
28 strings.ilike(.scan.ocr.raw,
29 "*package*",
30 "*parcel*",
31 "*shipping*",
32 "*delivery*",
33 "*track*"
34 )
35 )
36 or strings.ilike(body.current_thread.text,
37 "*package*",
38 "*parcel*",
39 "*shipping*",
40 "*delivery*",
41 "*track*"
42 )
43 )
44 )
45 and (
46 (
47 (
48 length(headers.references) > 0
49 or not any(headers.hops,
50 any(.fields, strings.ilike(.name, "In-Reply-To"))
51 )
52 )
53 and not (
54 (
55 strings.istarts_with(subject.subject, "RE:")
56 or strings.istarts_with(subject.subject, "RES:")
57 or strings.istarts_with(subject.subject, "R:")
58 or strings.istarts_with(subject.subject, "ODG:")
59 or strings.istarts_with(subject.subject, "答复:")
60 or strings.istarts_with(subject.subject, "AW:")
61 or strings.istarts_with(subject.subject, "TR:")
62 or strings.istarts_with(subject.subject, "FWD:")
63 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
64 )
65 )
66 )
67 or length(headers.references) == 0
68 )
69 and sender.email.domain.root_domain not in~ (
70 'dhl.com',
71 'dhl-news.com',
72 'bdhllp.com',
73 'dhlecommerce.co.uk',
74 'dhlparcel.co.uk',
75 'dhlecs.com',
76 'dhl.co.uk',
77 'dhl.co.tz',
78 'dpdhl.com',
79 'dhl.de',
80 'dhl.fr',
81 'dhl.pl',
82 'dhlexpress.fr', // legit dhl site
83 'dhlending.com',
84 'inmotion.dhl',
85 'dhlparcel.nl',
86 'dhltariff.co.uk',
87 'dhlindia-kyc.com',
88 'dpogroup.com',
89 '4flow-service.com' // shipping service
90 )
91 and (
92 profile.by_sender().prevalence in ("new", "outlier")
93 or (
94 profile.by_sender().any_messages_malicious_or_spam
95 and not profile.by_sender().any_false_positives
96 )
97 )
98
99 // negate highly trusted sender domains unless they fail DMARC authentication
100 and (
101 (
102 sender.email.domain.root_domain in $high_trust_sender_root_domains
103 and not headers.auth_summary.dmarc.pass
104 )
105 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
106 )
107
108attack_types:
109 - "Credential Phishing"
110tactics_and_techniques:
111 - "Impersonation: Brand"
112 - "Lookalike domain"
113 - "Social engineering"
114detection_methods:
115 - "Header analysis"
116 - "Sender analysis"
117id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"