Brand impersonation: USPS
Impersonation of the United States Postal Service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: USPS"
2description: "Impersonation of the United States Postal Service."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
9 or strings.icontains(sender.display_name, "USPS")
10 or strings.icontains(sender.display_name, "United States Postal Service")
11 or regex.contains(body.html.display_text, 'USPS\s*\.\s*COM')
12 or strings.icontains(body.current_thread.text, 'USPS Delivery Team')
13 )
14 and length(body.links) > 0
15 and 3 of (
16 any(body.links,
17 strings.ilike(.display_text,
18 "*check now*",
19 "*track*",
20 "*package*",
21 '*view your order*',
22 "*update*",
23 '*delivery address*',
24 "*parcel allocation*",
25 "*claim your parcel*"
26 )
27 ),
28 strings.ilike(body.current_thread.text,
29 "*returned*to*sender*",
30 "*redelivery*",
31 '*USPS promotions*',
32 '*review your package*',
33 '*receiver address*',
34 '*package details*',
35 '*sorry tolet*',
36 '*Due to an incorrect*',
37 '*remain undeliverable*'
38 ),
39 // impersonal greeting
40 any(ml.nlu_classifier(body.current_thread.text).entities,
41 .name == "recipient" and .text =~ "Customer"
42 ),
43 any(ml.nlu_classifier(body.current_thread.text).intents,
44 .name == "cred_theft" and .confidence != "low"
45 ),
46 // free email sender
47 sender.email.domain.root_domain in $free_email_providers,
48 network.whois(sender.email.domain).days_old < 30,
49 not network.whois(sender.email.domain).found,
50
51 // contains link to recently registered domain
52 any(body.links, network.whois(.href_url.domain).days_old < 15),
53 (
54 regex.icontains(strings.replace_confusables(body.html.display_text),
55 '\b(?:u.?s.?p.?s|shipping|delivery)\b'
56 )
57 and not regex.icontains(body.html.display_text,
58 '\b(?:usps|shipping|delivery)\b'
59 )
60 ),
61 any(body.links, regex.icontains(.href_url.url, 'https?://[0-9]{7,12}/.+')),
62 )
63 and (
64 sender.email.domain.root_domain not in (
65 "usps.com",
66 "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
67 "shipup.co", // third party shipping company
68 "withings.com" // third party shipping company
69 )
70 or (
71 sender.email.domain.root_domain in (
72 "usps.com",
73 "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
74 )
75 and not headers.auth_summary.dmarc.pass
76 )
77 )
78 // negate newsletters
79 and not (
80 length(body.links) > 20
81 or any(ml.nlu_classifier(body.html.display_text).topics,
82 .name == "Newsletters and Digests"
83 )
84 )
85 // not all links to usps.com
86 and not all(body.links, .href_url.domain.root_domain == "usps.com")
87 // negate legit forwards and replies
88 and not (
89 (subject.is_reply or subject.is_forward)
90 and length(body.previous_threads) > 0
91 and (length(headers.references) > 0 or headers.in_reply_to is not null)
92 )
93 // negate highly trusted sender domains unless they fail DMARC authentication
94 and (
95 (
96 sender.email.domain.root_domain in $high_trust_sender_root_domains
97 and not headers.auth_summary.dmarc.pass
98 )
99 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
100 )
101 and not any(body.links,
102 regex.icontains(.display_text, 'Track (?:Your Order|Shipment)')
103 and .href_url.domain.domain == 'tools.usps.com'
104 )
105 and not sender.email.domain.root_domain in ('shopifyemail.com')
106attack_types:
107 - "Credential Phishing"
108tactics_and_techniques:
109 - "Image as content"
110 - "Impersonation: Brand"
111 - "Social engineering"
112detection_methods:
113 - "Computer Vision"
114 - "Content analysis"
115 - "Natural Language Understanding"
116 - "Sender analysis"
117id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"