Brand impersonation: UPS
Impersonation of United Parcel Service (UPS).
Sublime rule (View on GitHub)
1name: "Brand impersonation: UPS"
2description: |
3 Impersonation of United Parcel Service (UPS).
4references:
5 - "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
6 - "https://twitter.com/DanielGallagher/status/1429794038463479813"
7 - "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
8type: "rule"
9severity: "low"
10source: |
11 type.inbound
12 and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
13 and (
14 sender.display_name =~ "UPS My Choice"
15 or strings.ilike(sender.email.local_part, "*united*parcel*service*")
16 or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
17 or sender.email.local_part =~ "ups"
18 )
19 and any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
20 and sender.email.email not in $recipient_emails
21
22 // negate highly trusted sender domains unless they fail DMARC authentication
23 and
24 (
25 (
26 sender.email.domain.root_domain in $high_trust_sender_root_domains
27 and (
28 any(distinct(headers.hops, .authentication_results.dmarc is not null),
29 strings.ilike(.authentication_results.dmarc, "*fail")
30 )
31 )
32 )
33 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
34 )
35
36attack_types:
37 - "Credential Phishing"
38tactics_and_techniques:
39 - "Impersonation: Brand"
40 - "Lookalike domain"
41 - "Social engineering"
42detection_methods:
43 - "Computer Vision"
44 - "Sender analysis"
45id: "73b68869-5720-5dc3-b4bc-15730de972d8"