Brand Impersonation: PayPal
Impersonation of PayPal.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: PayPal"
2description: |
3 Impersonation of PayPal.
4references:
5 - "https://www.welivesecurity.com/2019/12/20/scam-wants-more-than-paypal-logins/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 strings.replace_confusables(sender.display_name) =~ "paypal"
12 or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'paypal') <= 1
13 or strings.ilike(strings.replace_confusables(sender.display_name), '*paypal*')
14 or strings.icontains(body.current_thread.text, "paypal billing team")
15 or strings.icontains(body.current_thread.text, "paypal account services")
16 or any(attachments,
17 (.file_type in $file_types_images or .file_type == "pdf")
18 and any(ml.logo_detect(.).brands, .name == "PayPal")
19 and any(file.explode(.),
20 // exclude images taken with mobile cameras and screenshots from android
21 not any(.scan.exiftool.fields,
22 .key == "Model"
23 or (
24 .key == "Software"
25 and strings.starts_with(.value, "Android")
26 )
27 )
28 // exclude images taken with mobile cameras and screenshots from Apple
29 and not any(.scan.exiftool.fields,
30 .key == "DeviceManufacturer"
31 and .value == "Apple Computer Inc."
32 )
33 and strings.ilike(.scan.ocr.raw, "*PayPal*")
34 and strings.ilike(.scan.ocr.raw,
35 "*invoice*",
36 "*transaction*",
37 "*bitcoin*",
38 "*dear customer*",
39 "*suspicious activity*"
40 )
41 )
42 )
43 or (
44 any(ml.logo_detect(file.message_screenshot()).brands, .name == "PayPal")
45 and strings.ilike(body.current_thread.text, "*PayPal*")
46 and strings.ilike(body.current_thread.text,
47 "*invoice*",
48 "*transaction*",
49 "*bitcoin*",
50 "*dear customer*",
51 "*suspicious activity*"
52 )
53 )
54 )
55 and not any(ml.nlu_classifier(body.current_thread.text).topics,
56 .name in~ (
57 "Professional and Career Development",
58 "Government Services"
59 )
60 )
61 and sender.email.domain.root_domain not in (
62 'google.com',
63 'paypal-brandsfeedback.com',
64 'paypal-creditsurvey.com',
65 'paypal-customerfeedback.com',
66 'paypal-experience.com',
67 'paypal-prepaid.com',
68 'paypal.at',
69 'paypal.be',
70 'paypal.ca',
71 'paypal.ch',
72 'paypal.co.br',
73 'paypal.co.il',
74 'paypal.co.uk',
75 'paypal.com',
76 'paypal.com.au',
77 'paypal.com.mx',
78 'paypal.com.sg',
79 'paypal.de',
80 'paypal.dk',
81 'paypal.es',
82 'paypal.fr',
83 'paypal.hk',
84 'paypal.it',
85 'paypal.nl',
86 'paypal.pl',
87 'paypal.se',
88 'paypalcorp.com',
89 'q4inc.com',
90 'synchrony.com',
91 'synchronybank.com',
92 'synchronyfinancial.com',
93 'xoom.com',
94 'zettle.com'
95 )
96 and (
97 not profile.by_sender().solicited
98 or (
99 profile.by_sender().any_messages_malicious_or_spam
100 and not profile.by_sender().any_messages_benign
101 )
102 )
103
104 // negate highly trusted sender domains unless they fail DMARC authentication
105 and (
106 (
107 sender.email.domain.root_domain in $high_trust_sender_root_domains
108 and not headers.auth_summary.dmarc.pass
109 )
110 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
111 )
112
113attack_types:
114 - "Credential Phishing"
115tactics_and_techniques:
116 - "Impersonation: Brand"
117 - "Lookalike domain"
118 - "Social engineering"
119detection_methods:
120 - "Computer Vision"
121 - "Content analysis"
122 - "File analysis"
123 - "Header analysis"
124 - "Sender analysis"
125id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"