Brand impersonation: DHL

Impersonation of the shipping provider DHL.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DHL"
 2description: |
 3    Impersonation of the shipping provider DHL.
 4references:
 5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
 6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
 7type: "rule"
 8severity: "low"
 9source: |
10  type.inbound
11  and (
12    regex.icontains(sender.display_name, '\bDHL\b')
13    or strings.ilike(sender.email.domain.domain, '*DHL*')
14    or strings.ilike(subject.subject, '*DHL notification*')
15  )
16  and sender.email.domain.root_domain not in~ (
17    'dhl.com',
18    'dhl-news.com',
19    'bdhllp.com',
20    'dhlparcel.co.uk',
21    'dhlecs.com',
22    'dhl.co.uk',
23    'dpdhl.com',
24    'dhl.de',
25    'dhl.fr'
26  )
27  // first-time sender
28  and (
29    (
30      sender.email.domain.root_domain in $free_email_providers
31      and sender.email.email not in $sender_emails
32    )
33    or (
34      sender.email.domain.root_domain not in $free_email_providers
35      and sender.email.domain.domain not in $sender_domains
36    )
37  )  
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Lookalike domain"
43  - "Social engineering"
44detection_methods:
45  - "Header analysis"
46  - "Sender analysis"
47id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
to-top