Brand impersonation: DHL

Impersonation of the shipping provider DHL.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: DHL"
  2description: |
  3    Impersonation of the shipping provider DHL.
  4references:
  5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
  6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
  7type: "rule"
  8severity: "low"
  9source: |
 10  type.inbound
 11  and (
 12    regex.icontains(sender.display_name, '\bDHL\b')
 13    or (
 14      strings.ilike(sender.email.domain.domain, '*DHL*')
 15      and length(sender.email.domain.domain) < 15
 16    )
 17    or strings.ilike(subject.subject, '*DHL notification*')
 18    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
 19  )
 20  and (
 21    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
 22    or any(ml.nlu_classifier(body.current_thread.text).entities,
 23           .name == "org" and .text =~ "DHL"
 24    )
 25    or any(ml.logo_detect(beta.message_screenshot()).brands,
 26           .name == "DHL" and .confidence in ("medium", "high")
 27    )
 28    or regex.icontains(body.current_thread.text, '\bDHL\b')
 29    // it contains a QR code
 30    or any(file.explode(beta.message_screenshot()), .scan.qr.url.url is not null)
 31    or (
 32      any(file.explode(beta.message_screenshot()),
 33          strings.ilike(.scan.ocr.raw,
 34                        "*package*",
 35                        "*parcel*",
 36                        "*shipping*",
 37                        "*delivery*",
 38                        "*track*"
 39          )
 40      )
 41      or strings.ilike(body.current_thread.text,
 42                       "*package*",
 43                       "*parcel*",
 44                       "*shipping*",
 45                       "*delivery*",
 46                       "*track*"
 47      )
 48    )
 49  )
 50  and (
 51    (
 52      (
 53        length(headers.references) > 0
 54        or not any(headers.hops,
 55                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 56        )
 57      )
 58      and not (
 59        (
 60          strings.istarts_with(subject.subject, "RE:")
 61          or strings.istarts_with(subject.subject, "RES:")
 62          or strings.istarts_with(subject.subject, "R:")
 63          or strings.istarts_with(subject.subject, "ODG:")
 64          or strings.istarts_with(subject.subject, "答复:")
 65          or strings.istarts_with(subject.subject, "AW:")
 66          or strings.istarts_with(subject.subject, "TR:")
 67          or strings.istarts_with(subject.subject, "FWD:")
 68          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 69        )
 70      )
 71    )
 72    or length(headers.references) == 0
 73  )
 74  and sender.email.domain.root_domain not in~ (
 75    'dhl.com',
 76    'dhl-news.com',
 77    'bdhllp.com',
 78    'dhlecommerce.co.uk',
 79    'dhlparcel.co.uk',
 80    'dhlecs.com',
 81    'dhl.co.uk',
 82    'dhl.co.tz',
 83    'dpdhl.com',
 84    'dhl.de',
 85    'dhl.fr',
 86    'dhl.pl',
 87    'dhlexpress.fr', // legit dhl site
 88    'dhlending.com',
 89    'inmotion.dhl',
 90    'dhlparcel.nl',
 91    'dhltariff.co.uk',
 92    'dhlindia-kyc.com',
 93    'dpogroup.com',
 94    '4flow-service.com',  // shipping service
 95    'deutschepost.de', // German postal service
 96    'dhlecommerce.nl',
 97    'dhl.nl'
 98  )
 99  and (
100    profile.by_sender().prevalence in ("new", "outlier")
101    or (
102      profile.by_sender().any_messages_malicious_or_spam
103      and not profile.by_sender().any_false_positives
104    )
105  )
106  
107  // negate highly trusted sender domains unless they fail DMARC authentication
108  and (
109    (
110      sender.email.domain.root_domain in $high_trust_sender_root_domains
111      and not headers.auth_summary.dmarc.pass
112    )
113    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
114  )  
115attack_types:
116  - "Credential Phishing"
117tactics_and_techniques:
118  - "Impersonation: Brand"
119  - "Lookalike domain"
120  - "Social engineering"
121detection_methods:
122  - "Header analysis"
123  - "Sender analysis"
124id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
to-top