Brand Impersonation: PayPal

Impersonation of PayPal.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: PayPal"
  2description: |
  3    Impersonation of PayPal.
  4references:
  5  - "https://www.welivesecurity.com/2019/12/20/scam-wants-more-than-paypal-logins/"
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10  and (
 11    strings.replace_confusables(sender.display_name) =~ "paypal"
 12    or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'paypal') <= 1
 13    or strings.ilike(strings.replace_confusables(sender.display_name), '*paypal*')
 14    or any(attachments,
 15           (.file_type in $file_types_images or .file_type == "pdf")
 16           and any(ml.logo_detect(.).brands, .name == "PayPal")
 17           and any(file.explode(.),
 18                   // exclude images taken with mobile cameras and screenshots from android
 19                   not any(.scan.exiftool.fields,
 20                           .key == "Model"
 21                           or (
 22                             .key == "Software"
 23                             and strings.starts_with(.value, "Android")
 24                           )
 25                   )
 26                   // exclude images taken with mobile cameras and screenshots from Apple
 27                   and not any(.scan.exiftool.fields,
 28                               .key == "DeviceManufacturer"
 29                               and .value == "Apple Computer Inc."
 30                   )
 31                   and strings.ilike(.scan.ocr.raw, "*PayPal*")
 32                   and strings.ilike(.scan.ocr.raw,
 33                                     "*invoice*",
 34                                     "*transaction*",
 35                                     "*bitcoin*",
 36                                     "*dear customer*",
 37                                     "*suspicious activity*"
 38                   )
 39           )
 40    )
 41    or (
 42      any(ml.logo_detect(beta.message_screenshot()).brands, .name == "PayPal")
 43      and strings.ilike(body.current_thread.text, "*PayPal*")
 44      and strings.ilike(body.current_thread.text,
 45                        "*invoice*",
 46                        "*transaction*",
 47                        "*bitcoin*",
 48                        "*dear customer*",
 49                        "*suspicious activity*"
 50      )
 51    )
 52  )
 53  and not any(beta.ml_topic(body.current_thread.text).topics,
 54            .name in~ (
 55              "Professional and Career Development",
 56              "Government Services"
 57            )
 58  )
 59  and sender.email.domain.root_domain not in (
 60    'google.com',
 61    'paypal-creditsurvey.com',
 62    'paypal-customerfeedback.com',
 63    'paypal-experience.com',
 64    'paypal-prepaid.com',
 65    'paypal.at',
 66    'paypal.be',
 67    'paypal.ca',
 68    'paypal.ch',
 69    'paypal.co.br',
 70    'paypal.co.il',
 71    'paypal.co.uk',
 72    'paypal.com',
 73    'paypal.com.au',
 74    'paypal.com.mx',
 75    'paypal.com.sg',
 76    'paypal.de',
 77    'paypal.dk',
 78    'paypal.es',
 79    'paypal.fr',
 80    'paypal.hk',
 81    'paypal.it',
 82    'paypal.nl',
 83    'paypal.pl',
 84    'paypal.se',
 85    'paypalcorp.com',
 86    'q4inc.com',
 87    'synchrony.com',
 88    'synchronybank.com',
 89    'synchronyfinancial.com',
 90    'xoom.com',
 91    'zettle.com'
 92  )
 93  and (
 94    not profile.by_sender().solicited
 95    or (
 96      profile.by_sender().any_messages_malicious_or_spam
 97      and not profile.by_sender().any_false_positives
 98    )
 99  )
100  
101  // negate highly trusted sender domains unless they fail DMARC authentication
102  and (
103    (
104      sender.email.domain.root_domain in $high_trust_sender_root_domains
105      and not headers.auth_summary.dmarc.pass
106    )
107    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
108  )  
109
110attack_types:
111  - "Credential Phishing"
112tactics_and_techniques:
113  - "Impersonation: Brand"
114  - "Lookalike domain"
115  - "Social engineering"
116detection_methods:
117  - "Computer Vision"
118  - "Content analysis"
119  - "File analysis"
120  - "Header analysis"
121  - "Sender analysis"
122id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"
to-top