Brand impersonation: DHL

  1name: "Brand impersonation: DHL"
  2description: |
  3    Impersonation of the shipping provider DHL.
  4references:
  5  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
  6  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
  7type: "rule"
  8severity: "low"
  9source: |
 10  type.inbound
 11  and (
 12    regex.icontains(sender.display_name, '\bDHL\b')
 13    or strings.ilike(sender.email.domain.domain, '*DHL*')
 14    or strings.ilike(subject.subject, '*DHL notification*')
 15    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
 16  )
 17  and (
 18    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
 19    or any(ml.nlu_classifier(body.current_thread.text).entities,
 20           .name == "org" and .text =~ "DHL"
 21    )
 22    or any(ml.logo_detect(beta.message_screenshot()).brands,
 23           .name == "DHL" and .confidence in ("medium", "high")
 24    )
 25    or regex.icontains(body.current_thread.text, '\bDHL\b')
 26    or (
 27      any(file.explode(beta.message_screenshot()),
 28          strings.ilike(.scan.ocr.raw,
 29                        "*package*",
 30                        "*parcel*",
 31                        "*shipping*",
 32                        "*delivery*",
 33                        "*track*"
 34          )
 35      )
 36      or strings.ilike(body.current_thread.text,
 37                       "*package*",
 38                       "*parcel*",
 39                       "*shipping*",
 40                       "*delivery*",
 41                       "*track*"
 42      )
 43    )
 44  )
 45  and (
 46    (
 47      (
 48        length(headers.references) > 0
 49        or not any(headers.hops,
 50                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 51        )
 52      )
 53      and not (
 54        (
 55          strings.istarts_with(subject.subject, "RE:")
 56          or strings.istarts_with(subject.subject, "RES:")
 57          or strings.istarts_with(subject.subject, "R:")
 58          or strings.istarts_with(subject.subject, "ODG:")
 59          or strings.istarts_with(subject.subject, "答复:")
 60          or strings.istarts_with(subject.subject, "AW:")
 61          or strings.istarts_with(subject.subject, "TR:")
 62          or strings.istarts_with(subject.subject, "FWD:")
 63          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 64        )
 65      )
 66    )
 67    or length(headers.references) == 0
 68  )
 69  and sender.email.domain.root_domain not in~ (
 70    'dhl.com',
 71    'dhl-news.com',
 72    'bdhllp.com',
 73    'dhlecommerce.co.uk',
 74    'dhlparcel.co.uk',
 75    'dhlecs.com',
 76    'dhl.co.uk',
 77    'dhl.co.tz',
 78    'dpdhl.com',
 79    'dhl.de',
 80    'dhl.fr',
 81    'dhlending.com',
 82    'inmotion.dhl',
 83    'dhlparcel.nl',
 84    'dhltariff.co.uk',
 85    'dhlindia-kyc.com',
 86    'dpogroup.com'
 87  )
 88  and (
 89    profile.by_sender().prevalence in ("new", "outlier")
 90    or (
 91      profile.by_sender().any_messages_malicious_or_spam
 92      and not profile.by_sender().any_false_positives
 93    )
 94  )
 95
 96  // negate highly trusted sender domains unless they fail DMARC authentication
 97  and (
 98    (
 99      sender.email.domain.root_domain in $high_trust_sender_root_domains
100      and not headers.auth_summary.dmarc.pass
101    )
102    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
103  )  
104
105attack_types:
106  - "Credential Phishing"
107tactics_and_techniques:
108  - "Impersonation: Brand"
109  - "Lookalike domain"
110  - "Social engineering"
111detection_methods:
112  - "Header analysis"
113  - "Sender analysis"
114id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"