Brand impersonation: USPS

Impersonation of the United States Postal Service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: USPS"
 2description: "Impersonation of the United States Postal Service."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "USPS")
 8  and length(body.links) > 0
 9  and 2 of (
10    any(body.links,
11        strings.ilike(.display_text,
12                      "*check now*",
13                      "*track*",
14                      "*package*",
15                      '*view your order*'
16        )
17    ),
18    strings.ilike(body.current_thread.text,
19                  "*returned*to*sender*",
20                  "*redelivery*"
21    ),
22    // impersonal greeting
23    any(ml.nlu_classifier(body.current_thread.text).entities,
24        .name == "recipient" and .text =~ "Customer"
25    ),
26    // no links go to usps.com
27    all(body.links, .href_url.domain.root_domain != "usps.com")
28  )
29  and (
30    sender.email.domain.root_domain not in (
31        "usps.com", 
32        "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
33        "shipup.co", // third party shipping company
34        "withings.com" // third party shipping company
35    )
36    or (
37      sender.email.domain.root_domain in (
38          "usps.com", 
39          "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
40      )
41      and not headers.auth_summary.dmarc.pass
42    )
43  )
44  
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and not headers.auth_summary.dmarc.pass
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )  
53attack_types:
54  - "Credential Phishing"
55tactics_and_techniques:
56  - "Image as content"
57  - "Impersonation: Brand"
58  - "Social engineering"
59detection_methods:
60  - "Computer Vision"
61  - "Content analysis"
62  - "Natural Language Understanding"
63  - "Sender analysis"
64id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"
to-top