Brand impersonation: DHL
Impersonation of the shipping provider DHL.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DHL"
2description: |
3 Impersonation of the shipping provider DHL.
4references:
5 - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
6 - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
7type: "rule"
8severity: "low"
9source: |
10 type.inbound
11 and (
12 regex.icontains(sender.display_name, '\bDHL\b')
13 or strings.ilike(sender.email.domain.domain, '*DHL*')
14 or strings.ilike(subject.subject, '*DHL notification*')
15 )
16 and sender.email.domain.root_domain not in~ (
17 'dhl.com',
18 'dhl-news.com',
19 'bdhllp.com',
20 'dhlparcel.co.uk',
21 'dhlecs.com',
22 'dhl.co.uk',
23 'dpdhl.com',
24 'dhl.de',
25 'dhl.fr'
26 )
27 // first-time sender
28 and (
29 (
30 sender.email.domain.root_domain in $free_email_providers
31 and sender.email.email not in $sender_emails
32 )
33 or (
34 sender.email.domain.root_domain not in $free_email_providers
35 and sender.email.domain.domain not in $sender_domains
36 )
37 )
38attack_types:
39 - "Credential Phishing"
40tactics_and_techniques:
41 - "Impersonation: Brand"
42 - "Lookalike domain"
43 - "Social engineering"
44detection_methods:
45 - "Header analysis"
46 - "Sender analysis"
47id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"