Brand impersonation: DHL

  1name: "Brand impersonation: DHL"
  2description: |
  3    Impersonation of the shipping provider DHL.
  4references:
  5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
  6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
  7type: "rule"
  8severity: "low"
  9source: |
 10  type.inbound
 11  and (
 12    regex.icontains(sender.display_name, '\bDHL\b')
 13    or strings.ilike(sender.email.domain.domain, '*DHL*')
 14    or strings.ilike(subject.subject, '*DHL notification*')
 15    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
 16  )
 17  and (
 18    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
 19    or any(ml.nlu_classifier(body.current_thread.text).entities,
 20           .name == "org" and .text =~ "DHL"
 21    )
 22    or any(ml.logo_detect(beta.message_screenshot()).brands,
 23           .name == "DHL" and .confidence in ("medium", "high")
 24    )
 25    or regex.icontains(body.current_thread.text, '\bDHL\b')
 26    or (
 27      any(file.explode(beta.message_screenshot()),
 28          strings.ilike(.scan.ocr.raw,
 29                        "*package*",
 30                        "*parcel*",
 31                        "*shipping*",
 32                        "*delivery*",
 33                        "*track*"
 34          )
 35      )
 36      or strings.ilike(body.current_thread.text,
 37                       "*package*",
 38                       "*parcel*",
 39                       "*shipping*",
 40                       "*delivery*",
 41                       "*track*"
 42      )
 43    )
 44  )
 45  and (
 46    (
 47      (
 48        length(headers.references) > 0
 49        or not any(headers.hops,
 50                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 51        )
 52      )
 53      and not (
 54        (
 55          strings.istarts_with(subject.subject, "RE:")
 56          or strings.istarts_with(subject.subject, "RES:")
 57          or strings.istarts_with(subject.subject, "R:")
 58          or strings.istarts_with(subject.subject, "ODG:")
 59          or strings.istarts_with(subject.subject, "答复:")
 60          or strings.istarts_with(subject.subject, "AW:")
 61          or strings.istarts_with(subject.subject, "TR:")
 62          or strings.istarts_with(subject.subject, "FWD:")
 63          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 64        )
 65      )
 66    )
 67    or length(headers.references) == 0
 68  )
 69  and sender.email.domain.root_domain not in~ (
 70    'dhl.com',
 71    'dhl-news.com',
 72    'bdhllp.com',
 73    'dhlecommerce.co.uk',
 74    'dhlparcel.co.uk',
 75    'dhlecs.com',
 76    'dhl.co.uk',
 77    'dhl.co.tz',
 78    'dpdhl.com',
 79    'dhl.de',
 80    'dhl.fr',
 81    'dhlexpress.fr', // legit dhl site
 82    'dhlending.com',
 83    'inmotion.dhl',
 84    'dhlparcel.nl',
 85    'dhltariff.co.uk',
 86    'dhlindia-kyc.com',
 87    'dpogroup.com',
 88    '4flow-service.com'  // shipping service
 89  )
 90  and (
 91    profile.by_sender().prevalence in ("new", "outlier")
 92    or (
 93      profile.by_sender().any_messages_malicious_or_spam
 94      and not profile.by_sender().any_false_positives
 95    )
 96  )
 97
 98  // negate highly trusted sender domains unless they fail DMARC authentication
 99  and (
100    (
101      sender.email.domain.root_domain in $high_trust_sender_root_domains
102      and not headers.auth_summary.dmarc.pass
103    )
104    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
105  )  
106
107attack_types:
108  - "Credential Phishing"
109tactics_and_techniques:
110  - "Impersonation: Brand"
111  - "Lookalike domain"
112  - "Social engineering"
113detection_methods:
114  - "Header analysis"
115  - "Sender analysis"
116id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"