Brand impersonation: DHL
Impersonation of the shipping provider DHL.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DHL"
2description: |
3 Impersonation of the shipping provider DHL.
4references:
5 - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
6 - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
7type: "rule"
8severity: "low"
9source: |
10 type.inbound
11 and (
12 regex.icontains(sender.display_name, '\bDHL\b')
13 or strings.ilike(sender.email.domain.domain, '*DHL*')
14 or strings.ilike(subject.subject, '*DHL notification*')
15 or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
16 )
17 and (
18 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
19 or any(ml.nlu_classifier(body.current_thread.text).entities,
20 .name == "org" and .text =~ "DHL"
21 )
22 or any(ml.logo_detect(beta.message_screenshot()).brands,
23 .name == "DHL" and .confidence in ("medium", "high")
24 )
25 or regex.icontains(body.current_thread.text, '\bDHL\b')
26 or (
27 any(file.explode(beta.message_screenshot()),
28 strings.ilike(.scan.ocr.raw,
29 "*package*",
30 "*parcel*",
31 "*shipping*",
32 "*delivery*",
33 "*track*"
34 )
35 )
36 or strings.ilike(body.current_thread.text,
37 "*package*",
38 "*parcel*",
39 "*shipping*",
40 "*delivery*",
41 "*track*"
42 )
43 )
44 )
45 and (
46 (
47 (
48 length(headers.references) > 0
49 or not any(headers.hops,
50 any(.fields, strings.ilike(.name, "In-Reply-To"))
51 )
52 )
53 and not (
54 (
55 strings.istarts_with(subject.subject, "RE:")
56 or strings.istarts_with(subject.subject, "RES:")
57 or strings.istarts_with(subject.subject, "R:")
58 or strings.istarts_with(subject.subject, "ODG:")
59 or strings.istarts_with(subject.subject, "答复:")
60 or strings.istarts_with(subject.subject, "AW:")
61 or strings.istarts_with(subject.subject, "TR:")
62 or strings.istarts_with(subject.subject, "FWD:")
63 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
64 )
65 )
66 )
67 or length(headers.references) == 0
68 )
69 and sender.email.domain.root_domain not in~ (
70 'dhl.com',
71 'dhl-news.com',
72 'bdhllp.com',
73 'dhlecommerce.co.uk',
74 'dhlparcel.co.uk',
75 'dhlecs.com',
76 'dhl.co.uk',
77 'dhl.co.tz',
78 'dpdhl.com',
79 'dhl.de',
80 'dhl.fr',
81 'dhlending.com',
82 'inmotion.dhl',
83 'dhlparcel.nl',
84 'dhltariff.co.uk',
85 'dhlindia-kyc.com',
86 'dpogroup.com'
87 )
88 and (
89 profile.by_sender().prevalence in ("new", "outlier")
90 or (
91 profile.by_sender().any_messages_malicious_or_spam
92 and not profile.by_sender().any_false_positives
93 )
94 )
95
96 // negate highly trusted sender domains unless they fail DMARC authentication
97 and (
98 (
99 sender.email.domain.root_domain in $high_trust_sender_root_domains
100 and not headers.auth_summary.dmarc.pass
101 )
102 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
103 )
104
105attack_types:
106 - "Credential Phishing"
107tactics_and_techniques:
108 - "Impersonation: Brand"
109 - "Lookalike domain"
110 - "Social engineering"
111detection_methods:
112 - "Header analysis"
113 - "Sender analysis"
114id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"