Brand impersonation: USPS
Impersonation of the United States Postal Service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: USPS"
2description: "Impersonation of the United States Postal Service."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
9 or sender.display_name =~ "USPS"
10 )
11 and length(body.links) > 0
12 and 2 of (
13 any(body.links,
14 strings.ilike(.display_text,
15 "*check now*",
16 "*track*",
17 "*package*",
18 '*view your order*'
19 )
20 ),
21 strings.ilike(body.current_thread.text,
22 "*returned*to*sender*",
23 "*redelivery*"
24 ),
25 // impersonal greeting
26 any(ml.nlu_classifier(body.current_thread.text).entities,
27 .name == "recipient" and .text =~ "Customer"
28 ),
29 // no links go to usps.com
30 all(body.links, .href_url.domain.root_domain != "usps.com")
31 )
32 and (
33 sender.email.domain.root_domain not in (
34 "usps.com",
35 "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
36 "shipup.co", // third party shipping company
37 "withings.com" // third party shipping company
38 )
39 or (
40 sender.email.domain.root_domain in (
41 "usps.com",
42 "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
43 )
44 and not headers.auth_summary.dmarc.pass
45 )
46 )
47
48 // negate highly trusted sender domains unless they fail DMARC authentication
49 and (
50 (
51 sender.email.domain.root_domain in $high_trust_sender_root_domains
52 and not headers.auth_summary.dmarc.pass
53 )
54 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
55 )
56attack_types:
57 - "Credential Phishing"
58tactics_and_techniques:
59 - "Image as content"
60 - "Impersonation: Brand"
61 - "Social engineering"
62detection_methods:
63 - "Computer Vision"
64 - "Content analysis"
65 - "Natural Language Understanding"
66 - "Sender analysis"
67id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"