Brand impersonation: DHL

Impersonation of the shipping provider DHL.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DHL"
 2description: |
 3    Impersonation of the shipping provider DHL.
 4references:
 5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
 6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
 7type: "rule"
 8severity: "low"
 9source: |
10  type.inbound
11  and (
12    regex.icontains(sender.display_name, '\bDHL\b')
13    or strings.ilike(sender.email.domain.domain, '*DHL*')
14    or strings.ilike(subject.subject, '*DHL notification*')
15  )
16  and sender.email.domain.root_domain not in~ (
17    'dhl.com',
18    'dhl-news.com',
19    'bdhllp.com',
20    'dhlecommerce.co.uk',
21    'dhlparcel.co.uk',
22    'dhlecs.com',
23    'dhl.co.uk',
24    'dpdhl.com',
25    'dhl.de',
26    'dhl.fr',
27    'dhlending.com',
28    'inmotion.dhl',
29    'dhlparcel.nl',
30    'dhltariff.co.uk',
31    'dhlindia-kyc.com'
32  )
33  and (
34    profile.by_sender().prevalence in ("new", "outlier")
35    or (
36      profile.by_sender().any_messages_malicious_or_spam
37      and not profile.by_sender().any_false_positives
38    )
39  )
40
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )  
49
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Impersonation: Brand"
54  - "Lookalike domain"
55  - "Social engineering"
56detection_methods:
57  - "Header analysis"
58  - "Sender analysis"
59id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
to-top