Brand impersonation: DHL

calendar Dec 1, 2025  ·
Share on: linkedin copy

Impersonation of the shipping provider DHL.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: DHL"
  2description: |
  3    Impersonation of the shipping provider DHL.
  4references:
  5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
  6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
  7type: "rule"
  8severity: "low"
  9source: |
 10  type.inbound
 11  and (
 12    regex.icontains(sender.display_name, '\bDHL\b')
 13    or (
 14      strings.ilike(sender.email.domain.domain, '*DHL*')
 15      and length(sender.email.domain.domain) < 15
 16    )
 17    or strings.ilike(subject.subject, '*DHL notification*')
 18    or regex.icontains(subject.subject, 'dhl? express')
 19    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
 20    or (
 21      any(ml.nlu_classifier(body.current_thread.text).topics,
 22          .name == "Shipping and Package" and .confidence == "high"
 23      )
 24      and strings.contains(body.current_thread.text, 'DHL ')
 25    )
 26  )
 27  and (
 28    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
 29    or any(ml.nlu_classifier(body.current_thread.text).entities,
 30           .name == "org"
 31           and (
 32             .text =~ "DHL" 
 33             or .text =~ "DHL Express"
 34             or strings.istarts_with(.text, "DHL International")
 35           )
 36    )
 37    or any(ml.logo_detect(file.message_screenshot()).brands,
 38           .name == "DHL" and .confidence in ("medium", "high")
 39    )
 40    or regex.icontains(body.current_thread.text, '\bDHL\b')
 41    // it contains a QR code
 42    or (
 43      //
 44      // This rule makes use of a beta feature and is subject to change without notice
 45      // using the beta feature in custom rules is not suggested until it has been formally released
 46      //
 47      beta.scan_qr(file.message_screenshot()).found
 48      and any(beta.scan_qr(file.message_screenshot()).items, .type == "url")
 49    )
 50    //
 51    // This rule makes use of a beta feature and is subject to change without notice
 52    // using the beta feature in custom rules is not suggested until it has been formally released
 53    //
 54    or strings.ilike(beta.ocr(file.message_screenshot()).text,
 55                     "*package*",
 56                     "*parcel*",
 57                     "*shipping*",
 58                     "*delivery*",
 59                     "*track*"
 60    )
 61    or strings.ilike(body.current_thread.text,
 62                     "*package*",
 63                     "*parcel*",
 64                     "*shipping*",
 65                     "*delivery*",
 66                     "*track*"
 67    )
 68  )
 69  and (
 70    (
 71      (
 72        length(headers.references) > 0
 73        or not any(headers.hops,
 74                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 75        )
 76      )
 77      and not (
 78        (
 79          strings.istarts_with(subject.subject, "RE:")
 80          or strings.istarts_with(subject.subject, "RES:")
 81          or strings.istarts_with(subject.subject, "R:")
 82          or strings.istarts_with(subject.subject, "ODG:")
 83          or strings.istarts_with(subject.subject, "答复:")
 84          or strings.istarts_with(subject.subject, "AW:")
 85          or strings.istarts_with(subject.subject, "TR:")
 86          or strings.istarts_with(subject.subject, "FWD:")
 87          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 88        )
 89      )
 90    )
 91    or length(headers.references) == 0
 92  )
 93  and sender.email.domain.root_domain not in~ (
 94    'dhl.com',
 95    'dhl-news.com',
 96    'bdhllp.com',
 97    'dhlecommerce.co.uk',
 98    'dhlparcel.co.uk',
 99    'dhlecs.com',
100    'dhl.co.uk',
101    'dhl.co.tz',
102    'dpdhl.com',
103    'dhl.de',
104    'dhl.fr',
105    'dhl.pl',
106    'dhlexpress.fr', // legit dhl site
107    'dhlending.com',
108    'inmotion.dhl',
109    'dhlparcel.nl',
110    'dhltariff.co.uk',
111    'dhlindia-kyc.com',
112    'dpogroup.com',
113    '4flow-service.com', // shipping service
114    'leaders-in-logistics.com', // legit sight for leadership webinar events
115    'deutschepost.de', // German postal service
116    'dhlecommerce.nl',
117    'dhl.nl',
118    'adhlawfirm.com', // similar name but unrelated
119    'attendhlth.com', // dhl in domain but unrelated
120    'tdhlaw.com', // dhl in domain but unrelated
121    'hapibenefits.com', // DHL rewards program
122    'dhlgpi.com', // DHL Australia
123    'dhlfreight-news.com'
124  )
125  and (
126    profile.by_sender().prevalence in ("new", "outlier")
127    or (
128      profile.by_sender().any_messages_malicious_or_spam
129      and not profile.by_sender().any_messages_benign
130    )
131  )
132  
133  // negate highly trusted sender domains unless they fail DMARC authentication
134  and (
135    (
136      sender.email.domain.root_domain in $high_trust_sender_root_domains
137      and not headers.auth_summary.dmarc.pass
138    )
139    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
140  )  
141
142attack_types:
143  - "Credential Phishing"
144tactics_and_techniques:
145  - "Impersonation: Brand"
146  - "Lookalike domain"
147  - "Social engineering"
148detection_methods:
149  - "Header analysis"
150  - "Sender analysis"
151id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
to-top