Fake shipping notification with link to free file hosting
This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.
Sublime rule (View on GitHub)
1name: "Fake shipping notification with link to free file hosting"
2description: |
3 This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.
4references:
5 - "https://playground.sublimesecurity.com?id=64feb22a-03e8-4d8f-83f6-a828dc5e3540"
6severity: "low"
7type: "rule"
8source: |
9 type.inbound
10 and length(attachments) == 0
11 and (
12 regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
13 '\bf[ _]?e[ _]?d[ _]?e[ _]?x\b'
14 )
15 and sender.email.domain.domain != "fedex.com"
16 and headers.return_path.domain.domain != sender.email.domain.domain
17 and any(body.links, strings.contains(.display_text, "track"))
18 )
19 and any(body.links,
20 .href_url.domain.domain in $free_file_hosts
21 or .href_url.domain.root_domain in $free_file_hosts
22 )
23 and (
24 (
25 sender.email.domain.root_domain in $free_email_providers
26 and sender.email.email not in $sender_emails
27 )
28 or (
29 sender.email.domain.root_domain not in $free_email_providers
30 and sender.email.domain.root_domain not in $sender_domains
31 )
32 or sender.email.domain.valid == false
33 )
34
35attack_types:
36 - "Spam"
37tactics_and_techniques:
38 - "Free file host"
39 - "Impersonation: Brand"
40 - "Social engineering"
41detection_methods:
42 - "Content analysis"
43 - "Header analysis"
44 - "Sender analysis"
45id: "6d3fe05e-8ee6-586e-a2c6-60488ecf347a"