Brand impersonation: UPS
Impersonation of United Parcel Service (UPS).
Sublime rule (View on GitHub)
1name: "Brand impersonation: UPS"
2description: |
3 Impersonation of United Parcel Service (UPS).
4references:
5 - "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
6 - "https://twitter.com/DanielGallagher/status/1429794038463479813"
7 - "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
8type: "rule"
9severity: "low"
10source: |
11 type.inbound
12 and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
13 and (
14 sender.display_name in~ ("UPS My Choice", "UPS Services")
15 or strings.ilike(sender.email.local_part, "*united*parcel*service*")
16 or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
17 or strings.icontains(subject.subject, 'UPS delivery')
18 or sender.email.local_part =~ "ups"
19 or regex.icontains(sender.display_name,
20 "U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
21 )
22 )
23 and (
24 // Observed in the "footer" of impersation messages
25 // added this due to the UPS image not loading on some emails
26 strings.icontains(body.current_thread.text, "United Parcel Service of")
27 or any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
28 )
29 and sender.email.email not in $recipient_emails
30
31 // negate highly trusted sender domains unless they fail DMARC authentication
32 and (
33 (
34 sender.email.domain.root_domain in $high_trust_sender_root_domains
35 and not headers.auth_summary.dmarc.pass
36 )
37 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38 )
39
40attack_types:
41 - "Credential Phishing"
42tactics_and_techniques:
43 - "Impersonation: Brand"
44 - "Lookalike domain"
45 - "Social engineering"
46detection_methods:
47 - "Computer Vision"
48 - "Sender analysis"
49id: "73b68869-5720-5dc3-b4bc-15730de972d8"