Brand impersonation: USPS
Impersonation of the United States Postal Service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: USPS"
2description: "Impersonation of the United States Postal Service."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "USPS")
8 and length(body.links) > 0
9 and 2 of (
10 any(body.links,
11 strings.ilike(.display_text, "*check now*", "*track*", "*package*")
12 ),
13 strings.ilike(body.current_thread.text,
14 "*returned*to*sender*",
15 "*redelivery*"
16 ),
17 // impersonal greeting
18 any(ml.nlu_classifier(body.current_thread.text).entities,
19 .name == "recipient" and .text =~ "Customer"
20 )
21 )
22 and sender.email.domain.root_domain not in ("usps.com")
23 and profile.by_sender().prevalence in ("new", "outlier", "rare")
24
25 // negate highly trusted sender domains unless they fail DMARC authentication
26 and (
27 (
28 sender.email.domain.root_domain in $high_trust_sender_root_domains
29 and not headers.auth_summary.dmarc.pass
30 )
31 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32 )
33
34attack_types:
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "Image as content"
38 - "Impersonation: Brand"
39 - "Social engineering"
40detection_methods:
41 - "Computer Vision"
42 - "Content analysis"
43 - "Natural Language Understanding"
44 - "Sender analysis"
45id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"