Brand impersonation: USPS

 1name: "Brand impersonation: USPS"
 2description: "Impersonation of the United States Postal Service."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "USPS")
 8  and length(body.links) > 0
 9  and 2 of (
10    any(body.links,
11        strings.ilike(.display_text, "*check now*", "*track*", "*package*")
12    ),
13    strings.ilike(body.current_thread.text,
14                  "*returned*to*sender*",
15                  "*redelivery*"
16    ),
17    // impersonal greeting
18    any(ml.nlu_classifier(body.current_thread.text).entities,
19        .name == "recipient" and .text =~ "Customer"
20    )
21  )
22  and sender.email.domain.root_domain not in ("usps.com")
23  and profile.by_sender().prevalence in ("new", "outlier", "rare")
24  
25   // negate highly trusted sender domains unless they fail DMARC authentication
26  and (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and not headers.auth_summary.dmarc.pass
30    )
31    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32  )  
33
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Image as content"
38  - "Impersonation: Brand"
39  - "Social engineering"
40detection_methods:
41  - "Computer Vision"
42  - "Content analysis"
43  - "Natural Language Understanding"
44  - "Sender analysis"
45id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"