Brand impersonation: DHL

calendar Jun 5, 2026  ·
Share on: linkedin copy

Impersonation of the shipping provider DHL.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: DHL"
  2description: |
  3    Impersonation of the shipping provider DHL.
  4references:
  5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
  6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
  7type: "rule"
  8severity: "low"
  9source: |
 10  type.inbound
 11  and (
 12    regex.icontains(sender.display_name, '\bDHL\b')
 13    or (
 14      strings.ilike(sender.email.domain.domain, '*DHL*')
 15      and length(sender.email.domain.domain) < 15
 16    )
 17    or strings.ilike(subject.subject, '*DHL notification*')
 18    or regex.icontains(subject.subject, 'dhl? express')
 19    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
 20    or (
 21      any(ml.nlu_classifier(body.current_thread.text).topics,
 22          .name == "Shipping and Package" and .confidence == "high"
 23      )
 24      and strings.contains(body.current_thread.text, 'DHL ')
 25    )
 26  )
 27  and (
 28    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
 29    or any(ml.nlu_classifier(body.current_thread.text).entities,
 30           .name == "org"
 31           and (
 32             .text =~ "DHL"
 33             or .text =~ "DHL Express"
 34             or strings.istarts_with(.text, "DHL International")
 35           )
 36    )
 37    or any(ml.logo_detect(file.message_screenshot()).brands,
 38           .name == "DHL" and .confidence in ("medium", "high")
 39    )
 40    or regex.icontains(body.current_thread.text, '\bDHL\b')
 41    // it contains a QR code
 42    or (
 43      //
 44      // This rule makes use of a beta feature and is subject to change without notice
 45      // using the beta feature in custom rules is not suggested until it has been formally released
 46      //
 47      beta.scan_qr(file.message_screenshot()).found
 48      and any(beta.scan_qr(file.message_screenshot()).items, .type == "url")
 49    )
 50    //
 51    // This rule makes use of a beta feature and is subject to change without notice
 52    // using the beta feature in custom rules is not suggested until it has been formally released
 53    //
 54    or strings.ilike(beta.ocr(file.message_screenshot()).text,
 55                     "*package*",
 56                     "*parcel*",
 57                     "*shipping*",
 58                     "*delivery*",
 59                     "*track*"
 60    )
 61    or strings.ilike(body.current_thread.text,
 62                     "*package*",
 63                     "*parcel*",
 64                     "*shipping*",
 65                     "*delivery*",
 66                     "*track*"
 67    )
 68  )
 69  and (
 70    (
 71      (length(headers.references) > 0 or headers.in_reply_to is null)
 72      and not (
 73        (
 74          strings.istarts_with(subject.subject, "RE:")
 75          or strings.istarts_with(subject.subject, "RES:")
 76          or strings.istarts_with(subject.subject, "R:")
 77          or strings.istarts_with(subject.subject, "ODG:")
 78          or strings.istarts_with(subject.subject, "答复:")
 79          or strings.istarts_with(subject.subject, "AW:")
 80          or strings.istarts_with(subject.subject, "TR:")
 81          or strings.istarts_with(subject.subject, "FWD:")
 82          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 83        )
 84      )
 85    )
 86    or length(headers.references) == 0
 87  )
 88  and sender.email.domain.root_domain not in~ (
 89    'dhl.com',
 90    'dhl-news.com',
 91    'bdhllp.com',
 92    'dhlecommerce.co.uk',
 93    'dhlparcel.co.uk',
 94    'dhlecs.com',
 95    'dhl.co.uk',
 96    'dhl.co.tz',
 97    'dpdhl.com',
 98    'dhl.de',
 99    'dhl.fr',
100    'dhl.pl',
101    'dhlexpress.fr', // legit dhl site
102    'dhlending.com',
103    'inmotion.dhl',
104    'dhlparcel.nl',
105    'dhltariff.co.uk',
106    'dhlindia-kyc.com',
107    'dpogroup.com',
108    '4flow-service.com', // shipping service
109    'leaders-in-logistics.com', // legit sight for leadership webinar events
110    'deutschepost.de', // German postal service
111    'dhlecommerce.nl',
112    'dhl.nl',
113    'adhlawfirm.com', // similar name but unrelated
114    'attendhlth.com', // dhl in domain but unrelated
115    'tdhlaw.com', // dhl in domain but unrelated
116    'hapibenefits.com', // DHL rewards program
117    'dhlgpi.com', // DHL Australia
118    'dhlfreight-news.com'
119  )
120  and not (
121    sender.email.domain.tld in ('dhl')
122    and coalesce(headers.auth_summary.dmarc.pass, false)
123  )
124  and (
125    profile.by_sender().prevalence in ("new", "outlier")
126    or (
127      profile.by_sender().any_messages_malicious_or_spam
128      and not profile.by_sender().any_messages_benign
129    )
130  )
131  
132  // negate highly trusted sender domains unless they fail DMARC authentication
133  and (
134    (
135      sender.email.domain.root_domain in $high_trust_sender_root_domains
136      and not headers.auth_summary.dmarc.pass
137    )
138    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
139  )  
140attack_types:
141  - "Credential Phishing"
142tactics_and_techniques:
143  - "Impersonation: Brand"
144  - "Lookalike domain"
145  - "Social engineering"
146detection_methods:
147  - "Header analysis"
148  - "Sender analysis"
149id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
to-top