Brand impersonation: PayPal
Impersonation of PayPal.
Sublime rule (View on GitHub)
1name: "Brand impersonation: PayPal"
2description: |
3 Impersonation of PayPal.
4references:
5 - "https://www.welivesecurity.com/2019/12/20/scam-wants-more-than-paypal-logins/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 sender.display_name =~ "paypal"
12 or strings.ilevenshtein(sender.display_name, 'paypal') <= 1
13 or strings.ilike(sender.email.domain.domain, '*paypal*')
14 or any(attachments,
15 (.file_type in $file_types_images or .file_type == "pdf")
16 and any(ml.logo_detect(.).brands, .name == "PayPal")
17 and any(file.explode(.),
18 // exclude images taken with mobile cameras and screenshots from android
19 not any(.scan.exiftool.fields,
20 .key == "Model"
21 or (
22 .key == "Software"
23 and strings.starts_with(.value, "Android")
24 )
25 )
26 // exclude images taken with mobile cameras and screenshots from Apple
27 and not any(.scan.exiftool.fields,
28 .key == "DeviceManufacturer"
29 and .value == "Apple Computer Inc."
30 )
31 and strings.ilike(.scan.ocr.raw, "*PayPal*")
32 and strings.ilike(.scan.ocr.raw,
33 "*invoice*",
34 "*transaction*",
35 "*bitcoin*",
36 "*dear customer*",
37 )
38 )
39 )
40 )
41 and sender.email.domain.root_domain not in (
42 'paypal.com',
43 'paypal.ch',
44 'paypal.nl',
45 'paypal.co.uk',
46 'google.com',
47 'q4inc.com',
48 'paypal.com.au',
49 'paypal.se',
50 'paypal.be',
51 'paypal.de',
52 'paypal.dk',
53 'paypal.pl',
54 'paypal.es',
55 'paypal.ca',
56 'paypal.fr',
57 'paypal.it',
58 'paypal.com.sg',
59 'synchronyfinancial.com',
60 'synchronybank.com',
61 'xoom.com',
62 'paypal-experience.com',
63 'paypalcorp.com',
64 'paypal-customerfeedback.com',
65 'paypal-creditsurvey.com',
66 'paypal-prepaid.com',
67 'xoom.com',
68 'paypal.co.il'
69 )
70 and (
71 not profile.by_sender().solicited
72 or (
73 profile.by_sender().any_messages_malicious_or_spam
74 and not profile.by_sender().any_false_positives
75 )
76 )
77
78 // negate highly trusted sender domains unless they fail DMARC authentication
79 and (
80 (
81 sender.email.domain.root_domain in $high_trust_sender_root_domains
82 and (
83 any(distinct(headers.hops, .authentication_results.dmarc is not null),
84 strings.ilike(.authentication_results.dmarc, "*fail")
85 )
86 )
87 )
88 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
89 )
90
91attack_types:
92 - "Credential Phishing"
93tactics_and_techniques:
94 - "Impersonation: Brand"
95 - "Lookalike domain"
96 - "Social engineering"
97detection_methods:
98 - "Computer Vision"
99 - "Content analysis"
100 - "File analysis"
101 - "Header analysis"
102 - "Sender analysis"
103id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"