Brand impersonation: DHL

 1name: "Brand impersonation: DHL"
 2description: |
 3    Impersonation of the shipping provider DHL.
 4references:
 5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
 6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
 7type: "rule"
 8severity: "low"
 9source: |
10  type.inbound
11  and (
12    regex.icontains(sender.display_name, '\bDHL\b')
13    or strings.ilike(sender.email.domain.domain, '*DHL*')
14    or strings.ilike(subject.subject, '*DHL notification*')
15  )
16  and sender.email.domain.root_domain not in~ (
17    'dhl.com',
18    'dhl-news.com',
19    'bdhllp.com',
20    'dhlparcel.co.uk',
21    'dhlecs.com',
22    'dhl.co.uk',
23    'dpdhl.com',
24    'dhl.de',
25    'dhl.fr',
26    'dhlending.com',
27    'inmotion.dhl',
28    'dhlparcel.nl',
29    'dhltariff.co.uk',
30    'dhlindia-kyc.com'
31  )
32  and (
33    profile.by_sender().prevalence in ("new", "outlier")
34    or (
35      profile.by_sender().any_messages_malicious_or_spam
36      and not profile.by_sender().any_false_positives
37    )
38  )
39
40  // negate highly trusted sender domains unless they fail DMARC authentication
41  and (
42    (
43      sender.email.domain.root_domain in $high_trust_sender_root_domains
44      and not headers.auth_summary.dmarc.pass
45    )
46    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47  )  
48
49attack_types:
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "Impersonation: Brand"
53  - "Lookalike domain"
54  - "Social engineering"
55detection_methods:
56  - "Header analysis"
57  - "Sender analysis"
58id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"