Brand impersonation: DHL
Impersonation of the shipping provider DHL.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DHL"
2description: |
3 Impersonation of the shipping provider DHL.
4references:
5 - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
6 - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
7type: "rule"
8severity: "low"
9source: |
10 type.inbound
11 and (
12 regex.icontains(sender.display_name, '\bDHL\b')
13 or (
14 strings.ilike(sender.email.domain.domain, '*DHL*')
15 and length(sender.email.domain.domain) < 15
16 )
17 or strings.ilike(subject.subject, '*DHL notification*')
18 or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
19 )
20 and (
21 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
22 or any(ml.nlu_classifier(body.current_thread.text).entities,
23 .name == "org" and .text =~ "DHL"
24 )
25 or any(ml.logo_detect(beta.message_screenshot()).brands,
26 .name == "DHL" and .confidence in ("medium", "high")
27 )
28 or regex.icontains(body.current_thread.text, '\bDHL\b')
29 // it contains a QR code
30 or any(file.explode(beta.message_screenshot()), .scan.qr.url.url is not null)
31 or (
32 any(file.explode(beta.message_screenshot()),
33 strings.ilike(.scan.ocr.raw,
34 "*package*",
35 "*parcel*",
36 "*shipping*",
37 "*delivery*",
38 "*track*"
39 )
40 )
41 or strings.ilike(body.current_thread.text,
42 "*package*",
43 "*parcel*",
44 "*shipping*",
45 "*delivery*",
46 "*track*"
47 )
48 )
49 )
50 and (
51 (
52 (
53 length(headers.references) > 0
54 or not any(headers.hops,
55 any(.fields, strings.ilike(.name, "In-Reply-To"))
56 )
57 )
58 and not (
59 (
60 strings.istarts_with(subject.subject, "RE:")
61 or strings.istarts_with(subject.subject, "RES:")
62 or strings.istarts_with(subject.subject, "R:")
63 or strings.istarts_with(subject.subject, "ODG:")
64 or strings.istarts_with(subject.subject, "答复:")
65 or strings.istarts_with(subject.subject, "AW:")
66 or strings.istarts_with(subject.subject, "TR:")
67 or strings.istarts_with(subject.subject, "FWD:")
68 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
69 )
70 )
71 )
72 or length(headers.references) == 0
73 )
74 and sender.email.domain.root_domain not in~ (
75 'dhl.com',
76 'dhl-news.com',
77 'bdhllp.com',
78 'dhlecommerce.co.uk',
79 'dhlparcel.co.uk',
80 'dhlecs.com',
81 'dhl.co.uk',
82 'dhl.co.tz',
83 'dpdhl.com',
84 'dhl.de',
85 'dhl.fr',
86 'dhl.pl',
87 'dhlexpress.fr', // legit dhl site
88 'dhlending.com',
89 'inmotion.dhl',
90 'dhlparcel.nl',
91 'dhltariff.co.uk',
92 'dhlindia-kyc.com',
93 'dpogroup.com',
94 '4flow-service.com', // shipping service
95 'deutschepost.de', // German postal service
96 'dhlecommerce.nl',
97 'dhl.nl'
98 )
99 and (
100 profile.by_sender().prevalence in ("new", "outlier")
101 or (
102 profile.by_sender().any_messages_malicious_or_spam
103 and not profile.by_sender().any_false_positives
104 )
105 )
106
107 // negate highly trusted sender domains unless they fail DMARC authentication
108 and (
109 (
110 sender.email.domain.root_domain in $high_trust_sender_root_domains
111 and not headers.auth_summary.dmarc.pass
112 )
113 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
114 )
115attack_types:
116 - "Credential Phishing"
117tactics_and_techniques:
118 - "Impersonation: Brand"
119 - "Lookalike domain"
120 - "Social engineering"
121detection_methods:
122 - "Header analysis"
123 - "Sender analysis"
124id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"