Brand impersonation: USPS

calendar Mar 25, 2026  ยท
Share on: linkedin copy

Impersonation of the United States Postal Service.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: USPS"
  2description: "Impersonation of the United States Postal Service."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
  9    or strings.icontains(sender.display_name, "USPS")
 10    or regex.contains(body.html.display_text, 'USPS\s*\.\s*COM')
 11    or strings.icontains(body.current_thread.text, 'USPS Delivery Team')
 12  )
 13  and length(body.links) > 0
 14  and 3 of (
 15    any(body.links,
 16        strings.ilike(.display_text,
 17                      "*check now*",
 18                      "*track*",
 19                      "*package*",
 20                      '*view your order*',
 21                      "*update*"
 22        )
 23    ),
 24    strings.ilike(body.current_thread.text,
 25                  "*returned*to*sender*",
 26                  "*redelivery*",
 27                  '*USPS promotions*',
 28                  '*review your package*',
 29                  '*receiver address*',
 30                  '*sorry tolet*',
 31                  '*Due to an incorrect*'
 32    ),
 33    // impersonal greeting
 34    any(ml.nlu_classifier(body.current_thread.text).entities,
 35        .name == "recipient" and .text =~ "Customer"
 36    ),
 37    // free email sender
 38    sender.email.domain.root_domain in $free_email_providers,
 39    // contains link to recently registered domain
 40    any(body.links, network.whois(.href_url.domain).days_old < 15),
 41    (
 42      regex.icontains(strings.replace_confusables(body.html.display_text),
 43                      '\b(?:u.?s.?p.?s|shipping|delivery)\b'
 44      )
 45      and not regex.icontains(body.html.display_text,
 46                              '\b(?:usps|shipping|delivery)\b'
 47      )
 48    )
 49  )
 50  and (
 51    sender.email.domain.root_domain not in (
 52      "usps.com",
 53      "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
 54      "shipup.co", // third party shipping company
 55      "withings.com" // third party shipping company
 56    )
 57    or (
 58      sender.email.domain.root_domain in (
 59        "usps.com",
 60        "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
 61      )
 62      and not headers.auth_summary.dmarc.pass
 63    )
 64  )
 65  // negate newsletters
 66  and not (
 67    length(body.links) > 20
 68    or any(ml.nlu_classifier(body.html.display_text).topics,
 69           .name == "Newsletters and Digests"
 70    )
 71  )
 72  // not all links to usps.com
 73  and not all(body.links, .href_url.domain.root_domain == "usps.com")
 74  // negate legit forwards and replies
 75  and not (
 76    (subject.is_reply or subject.is_forward)
 77    and length(body.previous_threads) > 0
 78    and (length(headers.references) > 0 or headers.in_reply_to is not null)
 79  )
 80  // negate highly trusted sender domains unless they fail DMARC authentication
 81  and (
 82    (
 83      sender.email.domain.root_domain in $high_trust_sender_root_domains
 84      and not headers.auth_summary.dmarc.pass
 85    )
 86    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 87  )
 88  and not any(body.links,
 89              regex.icontains(.display_text, 'Track (?:Your Order|Shipment)')
 90              and .href_url.domain.domain == 'tools.usps.com'
 91  )
 92  and not sender.email.domain.root_domain in ('shopifyemail.com')  
 93attack_types:
 94  - "Credential Phishing"
 95tactics_and_techniques:
 96  - "Image as content"
 97  - "Impersonation: Brand"
 98  - "Social engineering"
 99detection_methods:
100  - "Computer Vision"
101  - "Content analysis"
102  - "Natural Language Understanding"
103  - "Sender analysis"
104id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"
to-top