Brand impersonation: USPS
Impersonation of the United States Postal Service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: USPS"
2description: "Impersonation of the United States Postal Service."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
8 and length(body.links) > 0
9 and 2 of (
10 any(body.links,
11 strings.ilike(.display_text,
12 "*check now*",
13 "*track*",
14 "*package*",
15 '*view your order*'
16 )
17 ),
18 strings.ilike(body.current_thread.text,
19 "*returned*to*sender*",
20 "*redelivery*"
21 ),
22 // impersonal greeting
23 any(ml.nlu_classifier(body.current_thread.text).entities,
24 .name == "recipient" and .text =~ "Customer"
25 ),
26 // no links go to usps.com
27 all(body.links, .href_url.domain.root_domain != "usps.com")
28 )
29 and (
30 sender.email.domain.root_domain not in (
31 "usps.com",
32 "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
33 "shipup.co", // third party shipping company
34 "withings.com" // third party shipping company
35 )
36 or (
37 sender.email.domain.root_domain in (
38 "usps.com",
39 "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
40 )
41 and not headers.auth_summary.dmarc.pass
42 )
43 )
44
45 // negate highly trusted sender domains unless they fail DMARC authentication
46 and (
47 (
48 sender.email.domain.root_domain in $high_trust_sender_root_domains
49 and not headers.auth_summary.dmarc.pass
50 )
51 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52 )
53attack_types:
54 - "Credential Phishing"
55tactics_and_techniques:
56 - "Image as content"
57 - "Impersonation: Brand"
58 - "Social engineering"
59detection_methods:
60 - "Computer Vision"
61 - "Content analysis"
62 - "Natural Language Understanding"
63 - "Sender analysis"
64id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"