Brand impersonation: USPS

Impersonation of the United States Postal Service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: USPS"
 2description: "Impersonation of the United States Postal Service."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "USPS")
 8  and length(body.links) > 0
 9  and 2 of (
10    any(body.links,
11        strings.ilike(.display_text, "*check now*", "*track*", "*package*")
12    ),
13    strings.ilike(body.current_thread.text,
14                  "*returned*to*sender*",
15                  "*redelivery*"
16    ),
17    // impersonal greeting
18    any(ml.nlu_classifier(body.current_thread.text).entities,
19        .name == "recipient" and .text =~ "Customer"
20    )
21  )
22  and sender.email.domain.root_domain not in ("usps.com")
23  and profile.by_sender().prevalence in ("new", "outlier", "rare")
24  
25  // negate highly trusted sender domains unless they fail DMARC authentication
26  and (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and (
30        any(distinct(headers.hops, .authentication_results.dmarc is not null),
31            strings.ilike(.authentication_results.dmarc, "*fail")
32        )
33      )
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )  
37
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Image as content"
42  - "Impersonation: Brand"
43  - "Social engineering"
44detection_methods:
45  - "Computer Vision"
46  - "Content analysis"
47  - "Natural Language Understanding"
48  - "Sender analysis"
49id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"
to-top