Brand impersonation: DHL
Impersonation of the shipping provider DHL.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DHL"
2description: |
3 Impersonation of the shipping provider DHL.
4references:
5 - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
6 - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
7type: "rule"
8severity: "low"
9source: |
10 type.inbound
11 and (
12 regex.icontains(sender.display_name, '\bDHL\b')
13 or strings.ilike(sender.email.domain.domain, '*DHL*')
14 or strings.ilike(subject.subject, '*DHL notification*')
15 )
16 and sender.email.domain.root_domain not in~ (
17 'dhl.com',
18 'dhl-news.com',
19 'bdhllp.com',
20 'dhlparcel.co.uk',
21 'dhlecs.com',
22 'dhl.co.uk',
23 'dpdhl.com',
24 'dhl.de',
25 'dhl.fr',
26 'dhlending.com',
27 'inmotion.dhl',
28 'dhlparcel.nl',
29 'dhltariff.co.uk',
30 'dhlindia-kyc.com'
31 )
32 and (
33 profile.by_sender().prevalence in ("new", "outlier")
34 or (
35 profile.by_sender().any_messages_malicious_or_spam
36 and not profile.by_sender().any_false_positives
37 )
38 )
39
40 // negate highly trusted sender domains unless they fail DMARC authentication
41 and (
42 (
43 sender.email.domain.root_domain in $high_trust_sender_root_domains
44 and not headers.auth_summary.dmarc.pass
45 )
46 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47 )
48
49attack_types:
50 - "Credential Phishing"
51tactics_and_techniques:
52 - "Impersonation: Brand"
53 - "Lookalike domain"
54 - "Social engineering"
55detection_methods:
56 - "Header analysis"
57 - "Sender analysis"
58id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"