Brand impersonation: USPS
Impersonation of the United States Postal Service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: USPS"
2description: "Impersonation of the United States Postal Service."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
9 or strings.icontains(sender.display_name, "USPS")
10 or regex.contains(body.html.display_text, 'USPS\s*\.\s*COM')
11 or strings.icontains(body.current_thread.text, 'USPS Delivery Team')
12 )
13 and length(body.links) > 0
14 and 3 of (
15 any(body.links,
16 strings.ilike(.display_text,
17 "*check now*",
18 "*track*",
19 "*package*",
20 '*view your order*',
21 "*update*"
22 )
23 ),
24 strings.ilike(body.current_thread.text,
25 "*returned*to*sender*",
26 "*redelivery*",
27 '*USPS promotions*',
28 '*review your package*',
29 '*receiver address*',
30 '*sorry tolet*',
31 '*Due to an incorrect*'
32 ),
33 // impersonal greeting
34 any(ml.nlu_classifier(body.current_thread.text).entities,
35 .name == "recipient" and .text =~ "Customer"
36 ),
37 any(ml.nlu_classifier(body.current_thread.text).intents,
38 .name == "cred_theft" and .confidence != "low"
39 ),
40 // free email sender
41 sender.email.domain.root_domain in $free_email_providers,
42 // contains link to recently registered domain
43 any(body.links, network.whois(.href_url.domain).days_old < 15),
44 (
45 regex.icontains(strings.replace_confusables(body.html.display_text),
46 '\b(?:u.?s.?p.?s|shipping|delivery)\b'
47 )
48 and not regex.icontains(body.html.display_text,
49 '\b(?:usps|shipping|delivery)\b'
50 )
51 )
52 )
53 and (
54 sender.email.domain.root_domain not in (
55 "usps.com",
56 "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
57 "shipup.co", // third party shipping company
58 "withings.com" // third party shipping company
59 )
60 or (
61 sender.email.domain.root_domain in (
62 "usps.com",
63 "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
64 )
65 and not headers.auth_summary.dmarc.pass
66 )
67 )
68 // negate newsletters
69 and not (
70 length(body.links) > 20
71 or any(ml.nlu_classifier(body.html.display_text).topics,
72 .name == "Newsletters and Digests"
73 )
74 )
75 // not all links to usps.com
76 and not all(body.links, .href_url.domain.root_domain == "usps.com")
77 // negate legit forwards and replies
78 and not (
79 (subject.is_reply or subject.is_forward)
80 and length(body.previous_threads) > 0
81 and (length(headers.references) > 0 or headers.in_reply_to is not null)
82 )
83 // negate highly trusted sender domains unless they fail DMARC authentication
84 and (
85 (
86 sender.email.domain.root_domain in $high_trust_sender_root_domains
87 and not headers.auth_summary.dmarc.pass
88 )
89 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
90 )
91 and not any(body.links,
92 regex.icontains(.display_text, 'Track (?:Your Order|Shipment)')
93 and .href_url.domain.domain == 'tools.usps.com'
94 )
95 and not sender.email.domain.root_domain in ('shopifyemail.com')
96attack_types:
97 - "Credential Phishing"
98tactics_and_techniques:
99 - "Image as content"
100 - "Impersonation: Brand"
101 - "Social engineering"
102detection_methods:
103 - "Computer Vision"
104 - "Content analysis"
105 - "Natural Language Understanding"
106 - "Sender analysis"
107id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"