EXPLORE
← Back to Explore
sublimelowRule

Brand impersonation: FedEx

Impersonation of the shipping provider FedEx.

Detection Query

type.inbound
and (
  sender.display_name in~ ('fedex', 'fedex shipment', 'fedex tracking updates')
  or strings.ilevenshtein(sender.display_name, 'fedex') <= 1
  or regex.icontains(sender.display_name, '^Fed-?ex')
  or strings.ilike(sender.email.domain.domain, '*fedex*')
  or (
    any(ml.logo_detect(file.message_screenshot()).brands, .name == "FedEx")
    and (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "request" and strings.icontains(.text, "signature")
      )
      or strings.istarts_with(body.current_thread.text, 'FedEx')
    )
  )
  or 2 of (
    strings.icontains(body.current_thread.text, "FedEx"),
    strings.icontains(body.current_thread.text, "942 South Shady Grove Road"),
    strings.icontains(body.current_thread.text, "3620 Hacks Cross Road"),
    strings.icontains(body.current_thread.text, "Memphis, TN")
  )
)
and not (
  sender.email.domain.root_domain in~ (
    'fedex.com',
    'fedexfreight.com', // added 2026-05-08
    'cj.com', // CJ is a global affiliate marketing network
    'sedex.com', // sedex.com is not affiliated with FedEx, but is an apparent FP
    'myworkday.com',
    'billtrust.com',
    'flying-cargo.rs', // Serbian arm of Fedex (https://www.fedex.com/en-rs/customer-support.html)
    'confirmit.com', // survey/market research company
    'centercode.com' // survey company
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
and (
  not profile.by_sender().any_messages_benign
  and not profile.by_sender().solicited
)

// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: FedEx"
description: |
  Impersonation of the shipping provider FedEx.
references:
  - "https://www.fedex.com/en-us/trust-center/report-fraud/fraudulent-email-examples.html"
type: "rule"
severity: "low"
source: |
  type.inbound
  and (
    sender.display_name in~ ('fedex', 'fedex shipment', 'fedex tracking updates')
    or strings.ilevenshtein(sender.display_name, 'fedex') <= 1
    or regex.icontains(sender.display_name, '^Fed-?ex')
    or strings.ilike(sender.email.domain.domain, '*fedex*')
    or (
      any(ml.logo_detect(file.message_screenshot()).brands, .name == "FedEx")
      and (
        any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "request" and strings.icontains(.text, "signature")
        )
        or strings.istarts_with(body.current_thread.text, 'FedEx')
      )
    )
    or 2 of (
      strings.icontains(body.current_thread.text, "FedEx"),
      strings.icontains(body.current_thread.text, "942 South Shady Grove Road"),
      strings.icontains(body.current_thread.text, "3620 Hacks Cross Road"),
      strings.icontains(body.current_thread.text, "Memphis, TN")
    )
  )
  and not (
    sender.email.domain.root_domain in~ (
      'fedex.com',
      'fedexfreight.com', // added 2026-05-08
      'cj.com', // CJ is a global affiliate marketing network
      'sedex.com', // sedex.com is not affiliated with FedEx, but is an apparent FP
      'myworkday.com',
      'billtrust.com',
      'flying-cargo.rs', // Serbian arm of Fedex (https://www.fedex.com/en-rs/customer-support.html)
      'confirmit.com', // survey/market research company
      'centercode.com' // survey company
    )
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  and (
    not profile.by_sender().any_messages_benign
    and not profile.by_sender().solicited
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "94a2b602-2bc1-5ea3-941e-752e3a2235cf"