Brand Impersonation: PayPal
Impersonation of PayPal.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: PayPal"
2description: |
3 Impersonation of PayPal.
4references:
5 - "https://www.welivesecurity.com/2019/12/20/scam-wants-more-than-paypal-logins/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 strings.replace_confusables(sender.display_name) =~ "paypal"
12 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
13 'paypal'
14 ) <= 1
15 or strings.ilike(strings.replace_confusables(sender.display_name), '*paypal*')
16 or strings.icontains(body.current_thread.text, "paypal billing team")
17 or strings.icontains(body.current_thread.text, "paypal account services")
18 or regex.icontains(body.current_thread.text, 'secure[-\._]?pay[-\._]?pal')
19 or regex.icontains(body.current_thread.text,
20 '(?:paypa[i1]\b|paypa[|!]|p@y\.?p@l)'
21 )
22 or any(attachments,
23 (.file_type in $file_types_images or .file_type == "pdf")
24 and any(ml.logo_detect(.).brands, .name == "PayPal")
25 and any(file.explode(.),
26 // exclude images taken with mobile cameras and screenshots from android
27 not any(.scan.exiftool.fields,
28 .key == "Model"
29 or (
30 .key == "Software"
31 and strings.starts_with(.value, "Android")
32 )
33 )
34 // exclude images taken with mobile cameras and screenshots from Apple
35 and not any(.scan.exiftool.fields,
36 .key == "DeviceManufacturer"
37 and .value == "Apple Computer Inc."
38 )
39 and strings.ilike(.scan.ocr.raw, "*PayPal*")
40 and strings.ilike(.scan.ocr.raw,
41 "*invoice*",
42 "*transaction*",
43 "*bitcoin*",
44 "*dear customer*",
45 "*suspicious activity*"
46 )
47 )
48 )
49 or (
50 any(ml.logo_detect(file.message_screenshot()).brands, .name == "PayPal")
51 and strings.ilike(body.current_thread.text, "*PayPal*")
52 and strings.ilike(body.current_thread.text,
53 "*invoice*",
54 "*transaction*",
55 "*bitcoin*",
56 "*dear customer*",
57 "*suspicious activity*"
58 )
59 )
60 )
61 and not any(ml.nlu_classifier(body.current_thread.text).topics,
62 .name in~ (
63 "Professional and Career Development",
64 "Government Services"
65 )
66 )
67 and sender.email.domain.root_domain not in (
68 'google.com',
69 'paypal-brandsfeedback.com',
70 'paypal-creditsurvey.com',
71 'paypal-customerfeedback.com',
72 'paypal-experience.com',
73 'paypal-prepaid.com',
74 'paypal.at',
75 'paypal.be',
76 'paypal.ca',
77 'paypal.ch',
78 'paypal.co.il',
79 'paypal.co.uk',
80 'paypal.com',
81 'paypal.com.au',
82 'paypal.com.mx',
83 'paypal.com.sg',
84 'paypal.de',
85 'paypal.dk',
86 'paypal.es',
87 'paypal.fr',
88 'paypal.hk',
89 'paypal.it',
90 'paypal.nl',
91 'paypal.pl',
92 'paypal.se',
93 'paypalcorp.com',
94 'q4inc.com',
95 'synchrony.com',
96 'synchronybank.com',
97 'synchronyfinancial.com',
98 'xoom.com',
99 'zettle.com'
100 )
101 // negate paypal.co.br explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and co.br is not a recognized public suffix.
102 and sender.email.domain.domain not in~ ('paypal.co.br')
103
104 // negate highly trusted sender domains unless they fail DMARC authentication
105 and (
106 (
107 sender.email.domain.root_domain in $high_trust_sender_root_domains
108 and not headers.auth_summary.dmarc.pass
109 )
110 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
111 )
112attack_types:
113 - "Credential Phishing"
114tactics_and_techniques:
115 - "Impersonation: Brand"
116 - "Lookalike domain"
117 - "Social engineering"
118detection_methods:
119 - "Computer Vision"
120 - "Content analysis"
121 - "File analysis"
122 - "Header analysis"
123 - "Sender analysis"
124id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"