Brand impersonation: USPS

calendar Jan 20, 2026  ยท
Share on: linkedin copy

Impersonation of the United States Postal Service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: USPS"
 2description: "Impersonation of the United States Postal Service."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
 9    or strings.icontains(sender.display_name, "USPS")
10  )
11  and length(body.links) > 0
12  and 2 of (
13    any(body.links,
14        strings.ilike(.display_text,
15                      "*check now*",
16                      "*track*",
17                      "*package*",
18                      '*view your order*'
19        )
20    ),
21    strings.ilike(body.current_thread.text,
22                  "*returned*to*sender*",
23                  "*redelivery*",
24                  '*USPS promotions*'
25    ),
26    // impersonal greeting
27    any(ml.nlu_classifier(body.current_thread.text).entities,
28        .name == "recipient" and .text =~ "Customer"
29    ),
30    // no links go to usps.com
31    all(body.links, .href_url.domain.root_domain != "usps.com")
32  )
33  and (
34    sender.email.domain.root_domain not in (
35      "usps.com",
36      "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
37      "shipup.co", // third party shipping company
38      "withings.com" // third party shipping company
39    )
40    or (
41      sender.email.domain.root_domain in (
42        "usps.com",
43        "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
44      )
45      and not headers.auth_summary.dmarc.pass
46    )
47  )
48  // negate newsletters 
49  and not (
50    length(body.links) > 20
51    or any(ml.nlu_classifier(body.html.display_text).topics,
52           .name == "Newsletters and Digests"
53    )
54  )
55  // negate legit forwards and replies
56  and not (
57    (subject.is_reply or subject.is_forward)
58    and length(body.previous_threads) > 0
59    and (length(headers.references) > 0 or headers.in_reply_to is not null)
60  )
61  // negate highly trusted sender domains unless they fail DMARC authentication
62  and (
63    (
64      sender.email.domain.root_domain in $high_trust_sender_root_domains
65      and not headers.auth_summary.dmarc.pass
66    )
67    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
68  )  
69attack_types:
70  - "Credential Phishing"
71tactics_and_techniques:
72  - "Image as content"
73  - "Impersonation: Brand"
74  - "Social engineering"
75detection_methods:
76  - "Computer Vision"
77  - "Content analysis"
78  - "Natural Language Understanding"
79  - "Sender analysis"
80id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"
to-top