Brand impersonation: UPS

 1name: "Brand impersonation: UPS"
 2description: |
 3    Impersonation of United Parcel Service (UPS).
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
 6  - "https://twitter.com/DanielGallagher/status/1429794038463479813"
 7  - "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
13  and (
14    sender.display_name =~ "UPS My Choice"
15    or strings.ilike(sender.email.local_part, "*united*parcel*service*")
16    or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
17    or sender.email.local_part =~ "ups"
18  )
19  and any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
20  and sender.email.email not in $recipient_emails
21
22  // negate highly trusted sender domains unless they fail DMARC authentication
23  and
24  (
25    (
26      sender.email.domain.root_domain in $high_trust_sender_root_domains
27      and (
28        any(distinct(headers.hops, .authentication_results.dmarc is not null),
29            strings.ilike(.authentication_results.dmarc, "*fail")
30        )
31      )
32    )
33    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
34  )  
35
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Impersonation: Brand"
40  - "Lookalike domain"
41  - "Social engineering"
42detection_methods:
43  - "Computer Vision"
44  - "Sender analysis"
45id: "73b68869-5720-5dc3-b4bc-15730de972d8"