EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Fraudulent order confirmation/shipping notification from Chinese sender domain

Detects an order confirmation/shipping notification from a suspicious sender domain based in China. The order may be legitimately placed by the user, but the store is fraudulent and it is unlikely that their order will arrive. Links to these e-commerce sites have been observed in online advertising. We recommend enabling a custom warning banner to alert users and prompt them to contact their bank to recover their funds.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598
initial-access

Detection Query

type.inbound
// direct to recipient
and length(recipients.to) == 1
and length(body.previous_threads) == 0

// Known patterns
and (sender.display_name is null or sender.email.local_part == "support")
and all(headers.reply_to,
        .email.domain.root_domain == sender.email.domain.root_domain
)

// Alibaba Cloud nameservers
and length(network.whois(sender.email.domain).name_servers) > 0
and all(network.whois(sender.email.domain).name_servers,
        .root_domain == "hichina.com"
)

// Shipping notification
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ('Shipping and Package', "Order Confirmations")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Fraudulent order confirmation/shipping notification from Chinese sender domain"
description: "Detects an order confirmation/shipping notification from a suspicious sender domain based in China. The order may be legitimately placed by the user, but the store is fraudulent and it is unlikely that their order will arrive. Links to these e-commerce sites have been observed in online advertising. We recommend enabling a custom warning banner to alert users and prompt them to contact their bank to recover their funds."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // direct to recipient
  and length(recipients.to) == 1
  and length(body.previous_threads) == 0
  
  // Known patterns
  and (sender.display_name is null or sender.email.local_part == "support")
  and all(headers.reply_to,
          .email.domain.root_domain == sender.email.domain.root_domain
  )
  
  // Alibaba Cloud nameservers
  and length(network.whois(sender.email.domain).name_servers) > 0
  and all(network.whois(sender.email.domain).name_servers,
          .root_domain == "hichina.com"
  )
  
  // Shipping notification
  and any(ml.nlu_classifier(body.current_thread.text).topics,
          .name in ('Shipping and Package', "Order Confirmations")
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "Whois"
id: "4392a14e-421e-5e2f-8659-a92d1a6bb1fd"