Brand impersonation: PayPal

Impersonation of PayPal.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: PayPal"
 2description: |
 3    Impersonation of PayPal.
 4references:
 5  - "https://www.welivesecurity.com/2019/12/20/scam-wants-more-than-paypal-logins/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and (
11    sender.display_name =~ "paypal"
12    or strings.ilevenshtein(sender.display_name, 'paypal') <= 1
13    or strings.ilike(sender.email.domain.domain, '*paypal*')
14    or any(attachments,
15           (.file_type in $file_types_images or .file_type == "pdf")
16           and any(ml.logo_detect(.).brands, .name == "PayPal")
17           and any(file.explode(.),
18                  // exclude images taken with mobile cameras and screenshots from android
19                   not any(.scan.exiftool.fields,
20                           .key == "Model"
21                           or (
22                             .key == "Software"
23                             and strings.starts_with(.value, "Android")
24                           )
25                   )
26                   // exclude images taken with mobile cameras and screenshots from Apple
27                   and not any(.scan.exiftool.fields,
28                               .key == "DeviceManufacturer"
29                               and .value == "Apple Computer Inc."
30                   )
31                   and strings.ilike(.scan.ocr.raw, "*PayPal*")
32                   and strings.ilike(.scan.ocr.raw,
33                                     "*invoice*",
34                                     "*transaction*",
35                                     "*bitcoin*",
36                                     "*dear customer*",
37                   )
38           )
39    )
40  )
41  and sender.email.domain.root_domain not in (
42    'paypal.com',
43    'paypal.ch',
44    'paypal.nl',
45    'paypal.co.uk',
46    'google.com',
47    'q4inc.com',
48    'paypal.com.au',
49    'paypal.se',
50    'paypal.be',
51    'paypal.de',
52    'paypal.dk',
53    'paypal.pl',
54    'paypal.es',
55    'paypal.ca',
56    'paypal.fr',
57    'paypal.it',
58    'paypal.com.sg',
59    'synchronyfinancial.com',
60    'synchronybank.com',
61    'xoom.com',
62    'paypal-experience.com',
63    'paypalcorp.com',
64    'paypal-customerfeedback.com',
65    'paypal-creditsurvey.com',
66    'paypal-prepaid.com',
67    'xoom.com',
68    'paypal.co.il'
69  )
70  and (
71    not profile.by_sender().solicited
72    or (
73      profile.by_sender().any_messages_malicious_or_spam
74      and not profile.by_sender().any_false_positives
75    )
76  )
77  
78  // negate highly trusted sender domains unless they fail DMARC authentication
79  and (
80    (
81      sender.email.domain.root_domain in $high_trust_sender_root_domains
82      and not headers.auth_summary.dmarc.pass
83    )
84    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
85  )  
86
87attack_types:
88  - "Credential Phishing"
89tactics_and_techniques:
90  - "Impersonation: Brand"
91  - "Lookalike domain"
92  - "Social engineering"
93detection_methods:
94  - "Computer Vision"
95  - "Content analysis"
96  - "File analysis"
97  - "Header analysis"
98  - "Sender analysis"
99id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"
to-top