Brand impersonation: UPS

name: "Brand impersonation: UPS"
description: |
  Impersonation of United Parcel Service (UPS).
references:
  - "https://www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/"
  - "https://twitter.com/DanielGallagher/status/1429794038463479813"
  - "https://www.ups.com/us/en/help-center/legal-terms-conditions/fight-fraud/recognize.page"
type: "rule"
severity: "low"
source: |
  type.inbound
  and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
  and (
    sender.display_name in~ ("UPS My Choice", "UPS Services")
    or strings.ilike(sender.email.local_part, "*united*parcel*service*")
    or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
    or strings.icontains(subject.subject, 'UPS delivery')
    or sender.email.local_part =~ "ups"
    or regex.icontains(sender.display_name,
                       "U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
    )
  )
  and (
    // Observed in the "footer" of impersation messages
    // added this due to the UPS image not loading on some emails
    strings.icontains(body.current_thread.text, "United Parcel Service of")
    or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
  )
  and sender.email.email not in $recipient_emails
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Sender analysis"
id: "73b68869-5720-5dc3-b4bc-15730de972d8"