Brand Impersonation: PayPal
Impersonation of PayPal.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: PayPal"
2description: |
3 Impersonation of PayPal.
4references:
5 - "https://www.welivesecurity.com/2019/12/20/scam-wants-more-than-paypal-logins/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 strings.replace_confusables(sender.display_name) =~ "paypal"
12 or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'paypal') <= 1
13 or strings.ilike(strings.replace_confusables(sender.display_name), '*paypal*')
14 or strings.icontains(body.current_thread.text, "paypal billing team")
15 or any(attachments,
16 (.file_type in $file_types_images or .file_type == "pdf")
17 and any(ml.logo_detect(.).brands, .name == "PayPal")
18 and any(file.explode(.),
19 // exclude images taken with mobile cameras and screenshots from android
20 not any(.scan.exiftool.fields,
21 .key == "Model"
22 or (
23 .key == "Software"
24 and strings.starts_with(.value, "Android")
25 )
26 )
27 // exclude images taken with mobile cameras and screenshots from Apple
28 and not any(.scan.exiftool.fields,
29 .key == "DeviceManufacturer"
30 and .value == "Apple Computer Inc."
31 )
32 and strings.ilike(.scan.ocr.raw, "*PayPal*")
33 and strings.ilike(.scan.ocr.raw,
34 "*invoice*",
35 "*transaction*",
36 "*bitcoin*",
37 "*dear customer*",
38 "*suspicious activity*"
39 )
40 )
41 )
42 or (
43 any(ml.logo_detect(beta.message_screenshot()).brands, .name == "PayPal")
44 and strings.ilike(body.current_thread.text, "*PayPal*")
45 and strings.ilike(body.current_thread.text,
46 "*invoice*",
47 "*transaction*",
48 "*bitcoin*",
49 "*dear customer*",
50 "*suspicious activity*"
51 )
52 )
53 )
54 and not any(beta.ml_topic(body.current_thread.text).topics,
55 .name in~ (
56 "Professional and Career Development",
57 "Government Services"
58 )
59 )
60 and sender.email.domain.root_domain not in (
61 'google.com',
62 'paypal-brandsfeedback.com',
63 'paypal-creditsurvey.com',
64 'paypal-customerfeedback.com',
65 'paypal-experience.com',
66 'paypal-prepaid.com',
67 'paypal.at',
68 'paypal.be',
69 'paypal.ca',
70 'paypal.ch',
71 'paypal.co.br',
72 'paypal.co.il',
73 'paypal.co.uk',
74 'paypal.com',
75 'paypal.com.au',
76 'paypal.com.mx',
77 'paypal.com.sg',
78 'paypal.de',
79 'paypal.dk',
80 'paypal.es',
81 'paypal.fr',
82 'paypal.hk',
83 'paypal.it',
84 'paypal.nl',
85 'paypal.pl',
86 'paypal.se',
87 'paypalcorp.com',
88 'q4inc.com',
89 'synchrony.com',
90 'synchronybank.com',
91 'synchronyfinancial.com',
92 'xoom.com',
93 'zettle.com'
94 )
95 and (
96 not profile.by_sender().solicited
97 or (
98 profile.by_sender().any_messages_malicious_or_spam
99 and not profile.by_sender().any_messages_benign
100 )
101 )
102
103 // negate highly trusted sender domains unless they fail DMARC authentication
104 and (
105 (
106 sender.email.domain.root_domain in $high_trust_sender_root_domains
107 and not headers.auth_summary.dmarc.pass
108 )
109 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
110 )
111
112attack_types:
113 - "Credential Phishing"
114tactics_and_techniques:
115 - "Impersonation: Brand"
116 - "Lookalike domain"
117 - "Social engineering"
118detection_methods:
119 - "Computer Vision"
120 - "Content analysis"
121 - "File analysis"
122 - "Header analysis"
123 - "Sender analysis"
124id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"