Brand impersonation: DHL

calendar Oct 17, 2025  ·
Share on: linkedin copy

Impersonation of the shipping provider DHL.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: DHL"
  2description: |
  3    Impersonation of the shipping provider DHL.
  4references:
  5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
  6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
  7type: "rule"
  8severity: "low"
  9source: |
 10  type.inbound
 11  and (
 12    regex.icontains(sender.display_name, '\bDHL\b')
 13    or (
 14      strings.ilike(sender.email.domain.domain, '*DHL*')
 15      and length(sender.email.domain.domain) < 15
 16    )
 17    or strings.ilike(subject.subject, '*DHL notification*')
 18    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
 19  )
 20  and (
 21    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
 22    or any(ml.nlu_classifier(body.current_thread.text).entities,
 23           .name == "org" and .text =~ "DHL"
 24    )
 25    or any(ml.logo_detect(file.message_screenshot()).brands,
 26           .name == "DHL" and .confidence in ("medium", "high")
 27    )
 28    or regex.icontains(body.current_thread.text, '\bDHL\b')
 29    // it contains a QR code
 30    or (
 31      //
 32      // This rule makes use of a beta feature and is subject to change without notice
 33      // using the beta feature in custom rules is not suggested until it has been formally released
 34      //
 35      beta.scan_qr(file.message_screenshot()).found
 36      and any(beta.scan_qr(file.message_screenshot()).items, .type == "url")
 37    )
 38    //
 39    // This rule makes use of a beta feature and is subject to change without notice
 40    // using the beta feature in custom rules is not suggested until it has been formally released
 41    //
 42    or strings.ilike(beta.ocr(file.message_screenshot()).text,
 43                     "*package*",
 44                     "*parcel*",
 45                     "*shipping*",
 46                     "*delivery*",
 47                     "*track*"
 48    )
 49    or strings.ilike(body.current_thread.text,
 50                     "*package*",
 51                     "*parcel*",
 52                     "*shipping*",
 53                     "*delivery*",
 54                     "*track*"
 55    )
 56  )
 57  and (
 58    (
 59      (
 60        length(headers.references) > 0
 61        or not any(headers.hops,
 62                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 63        )
 64      )
 65      and not (
 66        (
 67          strings.istarts_with(subject.subject, "RE:")
 68          or strings.istarts_with(subject.subject, "RES:")
 69          or strings.istarts_with(subject.subject, "R:")
 70          or strings.istarts_with(subject.subject, "ODG:")
 71          or strings.istarts_with(subject.subject, "答复:")
 72          or strings.istarts_with(subject.subject, "AW:")
 73          or strings.istarts_with(subject.subject, "TR:")
 74          or strings.istarts_with(subject.subject, "FWD:")
 75          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 76        )
 77      )
 78    )
 79    or length(headers.references) == 0
 80  )
 81  and sender.email.domain.root_domain not in~ (
 82    'dhl.com',
 83    'dhl-news.com',
 84    'bdhllp.com',
 85    'dhlecommerce.co.uk',
 86    'dhlparcel.co.uk',
 87    'dhlecs.com',
 88    'dhl.co.uk',
 89    'dhl.co.tz',
 90    'dpdhl.com',
 91    'dhl.de',
 92    'dhl.fr',
 93    'dhl.pl',
 94    'dhlexpress.fr', // legit dhl site
 95    'dhlending.com',
 96    'inmotion.dhl',
 97    'dhlparcel.nl',
 98    'dhltariff.co.uk',
 99    'dhlindia-kyc.com',
100    'dpogroup.com',
101    '4flow-service.com', // shipping service
102    'leaders-in-logistics.com', // legit sight for leadership webinar events
103    'deutschepost.de', // German postal service
104    'dhlecommerce.nl',
105    'dhl.nl',
106    'adhlawfirm.com', // similar name but unrelated
107    'attendhlth.com', // dhl in domain but unrelated
108    'tdhlaw.com' // dhl in domain but unrelated
109  )
110  and (
111    profile.by_sender().prevalence in ("new", "outlier")
112    or (
113      profile.by_sender().any_messages_malicious_or_spam
114      and not profile.by_sender().any_messages_benign
115    )
116  )
117  
118  // negate highly trusted sender domains unless they fail DMARC authentication
119  and (
120    (
121      sender.email.domain.root_domain in $high_trust_sender_root_domains
122      and not headers.auth_summary.dmarc.pass
123    )
124    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
125  )  
126
127attack_types:
128  - "Credential Phishing"
129tactics_and_techniques:
130  - "Impersonation: Brand"
131  - "Lookalike domain"
132  - "Social engineering"
133detection_methods:
134  - "Header analysis"
135  - "Sender analysis"
136id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
to-top