EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: AliExpress

Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.

MITRE ATT&CK

T1566.003T1598T1566T1566.001T1566.002T1598.003
initial-access

Detection Query

type.inbound
and (
  // the address in the footer
  strings.icontains(body.current_thread.text,
                    '26/F Tower One, Times Square, 1 Matheson Street, Causeway Bay'
  )
  // the social links in the footer
  or (
    length(filter(body.links,
                  strings.icontains(.href_url.url,
                                    'https://www.facebook.com/aliexpressbr'
                  )
                  or strings.icontains(.href_url.url,
                                       'https://twitter.com/aliexpressbr'
                  )
                  or strings.icontains(.href_url.url,
                                       'https://www.youtube.com/user/AliExpressChannel'
                  )
                  or strings.icontains(.href_url.url,
                                       'https://www.instagram.com/aliexpressbr'
                  )
                  // whatsapp
                  or strings.icontains(.href_url.url,
                                       'https://wa.me/8657186563839'
                  )
                  // messenger
                  or strings.icontains(.href_url.url, 'https://m.me/AliExpress')
           )
    ) >= 4
  )
)
// not from AliExpress or Alibaba
and not (
  sender.email.domain.root_domain in ("aliexpress.com", "alibaba.com")
  and headers.auth_summary.dmarc.pass
)
// did not traverse the parent org's mail server
and not (any(headers.domains, .root_domain in ('aliyun-inc.com')))

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: AliExpress"
description: "Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    // the address in the footer
    strings.icontains(body.current_thread.text,
                      '26/F Tower One, Times Square, 1 Matheson Street, Causeway Bay'
    )
    // the social links in the footer
    or (
      length(filter(body.links,
                    strings.icontains(.href_url.url,
                                      'https://www.facebook.com/aliexpressbr'
                    )
                    or strings.icontains(.href_url.url,
                                         'https://twitter.com/aliexpressbr'
                    )
                    or strings.icontains(.href_url.url,
                                         'https://www.youtube.com/user/AliExpressChannel'
                    )
                    or strings.icontains(.href_url.url,
                                         'https://www.instagram.com/aliexpressbr'
                    )
                    // whatsapp
                    or strings.icontains(.href_url.url,
                                         'https://wa.me/8657186563839'
                    )
                    // messenger
                    or strings.icontains(.href_url.url, 'https://m.me/AliExpress')
             )
      ) >= 4
    )
  )
  // not from AliExpress or Alibaba
  and not (
    sender.email.domain.root_domain in ("aliexpress.com", "alibaba.com")
    and headers.auth_summary.dmarc.pass
  )
  // did not traverse the parent org's mail server
  and not (any(headers.domains, .root_domain in ('aliyun-inc.com')))

attack_types:
  - "Callback Phishing"
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "URL analysis"
id: "b14703d8-5655-5a09-8a21-ef349ab435ea"