EXPLORE
← Back to Explore
sublimelowRule

Brand impersonation: UPS

Detects messages impersonating UPS (United Parcel Service) through display name, email address patterns, subject content, or HTML styling that mimics UPS branding, while excluding legitimate UPS domains.

Detection Query

type.inbound
and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
and (
  sender.display_name in~ ("UPS My Choice", "UPS Services", "Ups.com")
  or regex.icontains(sender.display_name, 'ups-\w+')
  or strings.ilike(sender.email.local_part, "*united*parcel*service*")
  or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
  or strings.icontains(subject.subject, 'UPS delivery')
  or sender.email.local_part =~ "ups"
  or regex.icontains(sender.display_name,
                     "U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
  )
  or strings.icontains(body.html.raw, 'background-color:#351d20')
  or strings.icontains(body.html.raw, 'background-color: #351d20')
)
and (
  // Observed in the "footer" of impersation messages
  // added this due to the UPS image not loading on some emails
  strings.icontains(body.current_thread.text, "United Parcel Service of")
  or regex.icontains(body.current_thread.text,
                     "(©|®).{0,15}(?:U.?P.?S.?|United Parcel Service)"
  )
  or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
)
and sender.email.email not in $recipient_emails

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: UPS"
description: |
  Detects messages impersonating UPS (United Parcel Service) through display name, email address patterns, subject content, or HTML styling that mimics UPS branding, while excluding legitimate UPS domains.
references:
  - "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
  - "https://twitter.com/DanielGallagher/status/1429794038463479813"
  - "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
type: "rule"
severity: "low"
source: |
  type.inbound
  and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
  and (
    sender.display_name in~ ("UPS My Choice", "UPS Services", "Ups.com")
    or regex.icontains(sender.display_name, 'ups-\w+')
    or strings.ilike(sender.email.local_part, "*united*parcel*service*")
    or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
    or strings.icontains(subject.subject, 'UPS delivery')
    or sender.email.local_part =~ "ups"
    or regex.icontains(sender.display_name,
                       "U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
    )
    or strings.icontains(body.html.raw, 'background-color:#351d20')
    or strings.icontains(body.html.raw, 'background-color: #351d20')
  )
  and (
    // Observed in the "footer" of impersation messages
    // added this due to the UPS image not loading on some emails
    strings.icontains(body.current_thread.text, "United Parcel Service of")
    or regex.icontains(body.current_thread.text,
                       "(©|®).{0,15}(?:U.?P.?S.?|United Parcel Service)"
    )
    or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
  )
  and sender.email.email not in $recipient_emails
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Sender analysis"
id: "73b68869-5720-5dc3-b4bc-15730de972d8"