Brand impersonation: UPS

calendar May 20, 2026  ·
Share on: linkedin copy

Impersonation of United Parcel Service (UPS).

Sublime rule (View on GitHub)

 1name: "Brand impersonation: UPS"
 2description: |
 3    Impersonation of United Parcel Service (UPS).
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
 6  - "https://twitter.com/DanielGallagher/status/1429794038463479813"
 7  - "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
13  and (
14    sender.display_name in~ ("UPS My Choice", "UPS Services")
15    or strings.ilike(sender.email.local_part, "*united*parcel*service*")
16    or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
17    or strings.icontains(subject.subject, 'UPS delivery')
18    or sender.email.local_part =~ "ups"
19    or regex.icontains(sender.display_name,
20                       "U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
21    )
22    or strings.icontains(body.html.raw, 'background-color:#351d20')
23    or strings.icontains(body.html.raw, 'background-color: #351d20')
24  )
25  and (
26    // Observed in the "footer" of impersation messages
27    // added this due to the UPS image not loading on some emails
28    strings.icontains(body.current_thread.text, "United Parcel Service of")
29    or regex.icontains(body.current_thread.text,
30                       "(©|®).{0,15}(?:U.?P.?S.?|United Parcel Service)"
31    )
32    or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
33  )
34  and sender.email.email not in $recipient_emails
35  
36  // negate highly trusted sender domains unless they fail DMARC authentication
37  and (
38    (
39      sender.email.domain.root_domain in $high_trust_sender_root_domains
40      and not headers.auth_summary.dmarc.pass
41    )
42    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
43  )  
44
45attack_types:
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Impersonation: Brand"
49  - "Lookalike domain"
50  - "Social engineering"
51detection_methods:
52  - "Computer Vision"
53  - "Sender analysis"
54id: "73b68869-5720-5dc3-b4bc-15730de972d8"
to-top