← Back to Explore
sublimehighRule
Brand impersonation: USPS
Impersonation of the United States Postal Service.
Detection Query
type.inbound
and (
any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
or strings.icontains(sender.display_name, "USPS")
or regex.contains(body.html.display_text, 'USPS\s*\.\s*COM')
or strings.icontains(body.current_thread.text, 'USPS Delivery Team')
)
and length(body.links) > 0
and 3 of (
any(body.links,
strings.ilike(.display_text,
"*check now*",
"*track*",
"*package*",
'*view your order*',
"*update*"
)
),
strings.ilike(body.current_thread.text,
"*returned*to*sender*",
"*redelivery*",
'*USPS promotions*',
'*review your package*',
'*receiver address*',
'*sorry tolet*',
'*Due to an incorrect*'
),
// impersonal greeting
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "recipient" and .text =~ "Customer"
),
// free email sender
sender.email.domain.root_domain in $free_email_providers,
// contains link to recently registered domain
any(body.links, network.whois(.href_url.domain).days_old < 15),
(
regex.icontains(strings.replace_confusables(body.html.display_text),
'\b(?:u.?s.?p.?s|shipping|delivery)\b'
)
and not regex.icontains(body.html.display_text,
'\b(?:usps|shipping|delivery)\b'
)
)
)
and (
sender.email.domain.root_domain not in (
"usps.com",
"opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
"shipup.co", // third party shipping company
"withings.com" // third party shipping company
)
or (
sender.email.domain.root_domain in (
"usps.com",
"opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
)
and not headers.auth_summary.dmarc.pass
)
)
// negate newsletters
and not (
length(body.links) > 20
or any(ml.nlu_classifier(body.html.display_text).topics,
.name == "Newsletters and Digests"
)
)
// not all links to usps.com
and not all(body.links, .href_url.domain.root_domain == "usps.com")
// negate legit forwards and replies
and not (
(subject.is_reply or subject.is_forward)
and length(body.previous_threads) > 0
and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not any(body.links,
regex.icontains(.display_text, 'Track (?:Your Order|Shipment)')
and .href_url.domain.domain == 'tools.usps.com'
)
and not sender.email.domain.root_domain in ('shopifyemail.com')
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: USPS"
description: "Impersonation of the United States Postal Service."
type: "rule"
severity: "high"
source: |
type.inbound
and (
any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
or strings.icontains(sender.display_name, "USPS")
or regex.contains(body.html.display_text, 'USPS\s*\.\s*COM')
or strings.icontains(body.current_thread.text, 'USPS Delivery Team')
)
and length(body.links) > 0
and 3 of (
any(body.links,
strings.ilike(.display_text,
"*check now*",
"*track*",
"*package*",
'*view your order*',
"*update*"
)
),
strings.ilike(body.current_thread.text,
"*returned*to*sender*",
"*redelivery*",
'*USPS promotions*',
'*review your package*',
'*receiver address*',
'*sorry tolet*',
'*Due to an incorrect*'
),
// impersonal greeting
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "recipient" and .text =~ "Customer"
),
// free email sender
sender.email.domain.root_domain in $free_email_providers,
// contains link to recently registered domain
any(body.links, network.whois(.href_url.domain).days_old < 15),
(
regex.icontains(strings.replace_confusables(body.html.display_text),
'\b(?:u.?s.?p.?s|shipping|delivery)\b'
)
and not regex.icontains(body.html.display_text,
'\b(?:usps|shipping|delivery)\b'
)
)
)
and (
sender.email.domain.root_domain not in (
"usps.com",
"opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
"shipup.co", // third party shipping company
"withings.com" // third party shipping company
)
or (
sender.email.domain.root_domain in (
"usps.com",
"opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
)
and not headers.auth_summary.dmarc.pass
)
)
// negate newsletters
and not (
length(body.links) > 20
or any(ml.nlu_classifier(body.html.display_text).topics,
.name == "Newsletters and Digests"
)
)
// not all links to usps.com
and not all(body.links, .href_url.domain.root_domain == "usps.com")
// negate legit forwards and replies
and not (
(subject.is_reply or subject.is_forward)
and length(body.previous_threads) > 0
and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not any(body.links,
regex.icontains(.display_text, 'Track (?:Your Order|Shipment)')
and .href_url.domain.domain == 'tools.usps.com'
)
and not sender.email.domain.root_domain in ('shopifyemail.com')
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Image as content"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"