Brand Impersonation: PayPal
Impersonation of PayPal.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: PayPal"
2description: |
3 Impersonation of PayPal.
4references:
5 - "https://www.welivesecurity.com/2019/12/20/scam-wants-more-than-paypal-logins/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 strings.replace_confusables(sender.display_name) =~ "paypal"
12 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
13 'paypal'
14 ) <= 1
15 or strings.ilike(strings.replace_confusables(sender.display_name), '*paypal*')
16 or strings.icontains(body.current_thread.text, "paypal billing team")
17 or strings.icontains(body.current_thread.text, "paypal account services")
18 or strings.icontains(body.current_thread.text, "securepay.pal")
19 or regex.icontains(body.current_thread.text, '(?:paypa[i1]\b|paypa[|!])')
20 or any(attachments,
21 (.file_type in $file_types_images or .file_type == "pdf")
22 and any(ml.logo_detect(.).brands, .name == "PayPal")
23 and any(file.explode(.),
24 // exclude images taken with mobile cameras and screenshots from android
25 not any(.scan.exiftool.fields,
26 .key == "Model"
27 or (
28 .key == "Software"
29 and strings.starts_with(.value, "Android")
30 )
31 )
32 // exclude images taken with mobile cameras and screenshots from Apple
33 and not any(.scan.exiftool.fields,
34 .key == "DeviceManufacturer"
35 and .value == "Apple Computer Inc."
36 )
37 and strings.ilike(.scan.ocr.raw, "*PayPal*")
38 and strings.ilike(.scan.ocr.raw,
39 "*invoice*",
40 "*transaction*",
41 "*bitcoin*",
42 "*dear customer*",
43 "*suspicious activity*"
44 )
45 )
46 )
47 or (
48 any(ml.logo_detect(file.message_screenshot()).brands, .name == "PayPal")
49 and strings.ilike(body.current_thread.text, "*PayPal*")
50 and strings.ilike(body.current_thread.text,
51 "*invoice*",
52 "*transaction*",
53 "*bitcoin*",
54 "*dear customer*",
55 "*suspicious activity*"
56 )
57 )
58 )
59 and not any(ml.nlu_classifier(body.current_thread.text).topics,
60 .name in~ (
61 "Professional and Career Development",
62 "Government Services"
63 )
64 )
65 and sender.email.domain.root_domain not in (
66 'google.com',
67 'paypal-brandsfeedback.com',
68 'paypal-creditsurvey.com',
69 'paypal-customerfeedback.com',
70 'paypal-experience.com',
71 'paypal-prepaid.com',
72 'paypal.at',
73 'paypal.be',
74 'paypal.ca',
75 'paypal.ch',
76 'paypal.co.il',
77 'paypal.co.uk',
78 'paypal.com',
79 'paypal.com.au',
80 'paypal.com.mx',
81 'paypal.com.sg',
82 'paypal.de',
83 'paypal.dk',
84 'paypal.es',
85 'paypal.fr',
86 'paypal.hk',
87 'paypal.it',
88 'paypal.nl',
89 'paypal.pl',
90 'paypal.se',
91 'paypalcorp.com',
92 'q4inc.com',
93 'synchrony.com',
94 'synchronybank.com',
95 'synchronyfinancial.com',
96 'xoom.com',
97 'zettle.com'
98 )
99 // negate paypal.co.br explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and co.br is not a recognized public suffix.
100 and sender.email.domain.domain not in~ ('paypal.co.br')
101
102 // negate highly trusted sender domains unless they fail DMARC authentication
103 and (
104 (
105 sender.email.domain.root_domain in $high_trust_sender_root_domains
106 and not headers.auth_summary.dmarc.pass
107 )
108 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
109 )
110attack_types:
111 - "Credential Phishing"
112tactics_and_techniques:
113 - "Impersonation: Brand"
114 - "Lookalike domain"
115 - "Social engineering"
116detection_methods:
117 - "Computer Vision"
118 - "Content analysis"
119 - "File analysis"
120 - "Header analysis"
121 - "Sender analysis"
122id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"