Brand impersonation: UPS

Detects messages impersonating UPS (United Parcel Service) through display name, email address patterns, subject content, or HTML styling that mimics UPS branding, while excluding legitimate UPS domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: UPS"
 2description: |
 3    Detects messages impersonating UPS (United Parcel Service) through display name, email address patterns, subject content, or HTML styling that mimics UPS branding, while excluding legitimate UPS domains.
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
 6  - "https://twitter.com/DanielGallagher/status/1429794038463479813"
 7  - "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
13  and (
14    sender.display_name in~ ("UPS My Choice", "UPS Services", "Ups.com")
15    or regex.icontains(sender.display_name, 'ups-\w+')
16    or strings.ilike(sender.email.local_part, "*united*parcel*service*")
17    or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
18    or strings.icontains(subject.subject, 'UPS delivery')
19    or sender.email.local_part =~ "ups"
20    or regex.icontains(sender.display_name,
21                       "U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
22    )
23    or strings.icontains(body.html.raw, 'background-color:#351d20')
24    or strings.icontains(body.html.raw, 'background-color: #351d20')
25  )
26  and (
27    // Observed in the "footer" of impersation messages
28    // added this due to the UPS image not loading on some emails
29    strings.icontains(body.current_thread.text, "United Parcel Service of")
30    or regex.icontains(body.current_thread.text,
31                       "(©|®).{0,15}(?:U.?P.?S.?|United Parcel Service)"
32    )
33    or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
34  )
35  and sender.email.email not in $recipient_emails
36  
37  // negate highly trusted sender domains unless they fail DMARC authentication
38  and (
39    (
40      sender.email.domain.root_domain in $high_trust_sender_root_domains
41      and not headers.auth_summary.dmarc.pass
42    )
43    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
44  )  
45
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Lookalike domain"
51  - "Social engineering"
52detection_methods:
53  - "Computer Vision"
54  - "Sender analysis"
55id: "73b68869-5720-5dc3-b4bc-15730de972d8"
to-top