← Back to Explore
sublimelowRule
Brand impersonation: UPS
Detects messages impersonating UPS (United Parcel Service) through display name, email address patterns, subject content, or HTML styling that mimics UPS branding, while excluding legitimate UPS domains.
Detection Query
type.inbound
and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
and (
sender.display_name in~ ("UPS My Choice", "UPS Services", "Ups.com")
or regex.icontains(sender.display_name, 'ups-\w+')
or strings.ilike(sender.email.local_part, "*united*parcel*service*")
or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
or strings.icontains(subject.subject, 'UPS delivery')
or sender.email.local_part =~ "ups"
or regex.icontains(sender.display_name,
"U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
)
or strings.icontains(body.html.raw, 'background-color:#351d20')
or strings.icontains(body.html.raw, 'background-color: #351d20')
)
and (
// Observed in the "footer" of impersation messages
// added this due to the UPS image not loading on some emails
strings.icontains(body.current_thread.text, "United Parcel Service of")
or regex.icontains(body.current_thread.text,
"(©|®).{0,15}(?:U.?P.?S.?|United Parcel Service)"
)
or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
)
and sender.email.email not in $recipient_emails
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Brand impersonation: UPS"
description: |
Detects messages impersonating UPS (United Parcel Service) through display name, email address patterns, subject content, or HTML styling that mimics UPS branding, while excluding legitimate UPS domains.
references:
- "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
- "https://twitter.com/DanielGallagher/status/1429794038463479813"
- "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
type: "rule"
severity: "low"
source: |
type.inbound
and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
and (
sender.display_name in~ ("UPS My Choice", "UPS Services", "Ups.com")
or regex.icontains(sender.display_name, 'ups-\w+')
or strings.ilike(sender.email.local_part, "*united*parcel*service*")
or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
or strings.icontains(subject.subject, 'UPS delivery')
or sender.email.local_part =~ "ups"
or regex.icontains(sender.display_name,
"U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
)
or strings.icontains(body.html.raw, 'background-color:#351d20')
or strings.icontains(body.html.raw, 'background-color: #351d20')
)
and (
// Observed in the "footer" of impersation messages
// added this due to the UPS image not loading on some emails
strings.icontains(body.current_thread.text, "United Parcel Service of")
or regex.icontains(body.current_thread.text,
"(©|®).{0,15}(?:U.?P.?S.?|United Parcel Service)"
)
or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
)
and sender.email.email not in $recipient_emails
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Sender analysis"
id: "73b68869-5720-5dc3-b4bc-15730de972d8"