← Back to Explore
sublimemediumRule
Brand Impersonation: Shein
Detects suspicious Shein-branded communications using display name impersonation, logo detection, and deceptive content analysis. Includes checks for security/authentication topics, secure messages, notifications, and promotional content like fake surveys or giveaways. Excludes legitimate Shein domains with proper authentication and known trusted senders.
Detection Query
type.inbound
and (
// display name contains Shein
(
(
regex.icontains(strings.replace_confusables(sender.display_name),
'\bsh[ie]{2}n\b'
)
and not strings.icontains(sender.display_name, "sheen")
)
or (
length(ml.logo_detect(file.message_screenshot()).brands) == 1
and all(ml.logo_detect(file.message_screenshot()).brands,
.name == "Shein" and .confidence == "high"
)
)
)
)
and (
(
length(ml.nlu_classifier(body.current_thread.text).topics) > 0
and all(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications",
"Advertising and Promotions" // fake surveys/giveaways have been observed
)
and .confidence in ("medium", "high")
)
)
or (
length(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics) > 0
and all(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications",
"Advertising and Promotions" // fake surveys/giveaways have been observed
)
and .confidence in ("medium", "high")
and beta.ocr(file.message_screenshot()).text != ""
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
// and the sender is not in org_domains or from Shein domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
length(attachments) == 1
// this is Shein's return label generator
and all(attachments,
.file_type == "pdf"
and strings.icontains(beta.parse_exif(.).creator, "MondialRelay")
)
)
or (
sender.email.domain.root_domain in (
"shein.com",
"shein.com.mx",
"sheinemail.com",
"shein.co.uk",
"sheingroup.com",
"sheinnotice.com",
"cash.app",
"capitaloneshopping.com"
)
and (
headers.auth_summary.dmarc.pass
// for when DMARC fails, but it's still a legit Shein newsletter
or (
length(body.links) > 10
and ratio(body.links,
.href_url.domain.root_domain in (
"shein.com",
"sheinemail.com",
"shein.co.uk",
"sheingroup.com",
"sheinnotice.com",
"cash.app",
"capitaloneshopping.com"
)
) > 0.6
)
)
)
// parse out original sender domain from Apple Private Relay info
or (
sender.email.domain.domain in ("privaterelay.appleid.com", "icloud.com")
and strings.ilike(sender.email.local_part,
'*shein_com*',
'*sheinemail_com*'
)
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or not headers.auth_summary.dmarc.pass
or not headers.auth_summary.spf.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand Impersonation: Shein"
description: "Detects suspicious Shein-branded communications using display name impersonation, logo detection, and deceptive content analysis. Includes checks for security/authentication topics, secure messages, notifications, and promotional content like fake surveys or giveaways. Excludes legitimate Shein domains with proper authentication and known trusted senders."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
// display name contains Shein
(
(
regex.icontains(strings.replace_confusables(sender.display_name),
'\bsh[ie]{2}n\b'
)
and not strings.icontains(sender.display_name, "sheen")
)
or (
length(ml.logo_detect(file.message_screenshot()).brands) == 1
and all(ml.logo_detect(file.message_screenshot()).brands,
.name == "Shein" and .confidence == "high"
)
)
)
)
and (
(
length(ml.nlu_classifier(body.current_thread.text).topics) > 0
and all(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications",
"Advertising and Promotions" // fake surveys/giveaways have been observed
)
and .confidence in ("medium", "high")
)
)
or (
length(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics) > 0
and all(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications",
"Advertising and Promotions" // fake surveys/giveaways have been observed
)
and .confidence in ("medium", "high")
and beta.ocr(file.message_screenshot()).text != ""
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
// and the sender is not in org_domains or from Shein domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
length(attachments) == 1
// this is Shein's return label generator
and all(attachments,
.file_type == "pdf"
and strings.icontains(beta.parse_exif(.).creator, "MondialRelay")
)
)
or (
sender.email.domain.root_domain in (
"shein.com",
"shein.com.mx",
"sheinemail.com",
"shein.co.uk",
"sheingroup.com",
"sheinnotice.com",
"cash.app",
"capitaloneshopping.com"
)
and (
headers.auth_summary.dmarc.pass
// for when DMARC fails, but it's still a legit Shein newsletter
or (
length(body.links) > 10
and ratio(body.links,
.href_url.domain.root_domain in (
"shein.com",
"sheinemail.com",
"shein.co.uk",
"sheingroup.com",
"sheinnotice.com",
"cash.app",
"capitaloneshopping.com"
)
) > 0.6
)
)
)
// parse out original sender domain from Apple Private Relay info
or (
sender.email.domain.domain in ("privaterelay.appleid.com", "icloud.com")
and strings.ilike(sender.email.local_part,
'*shein_com*',
'*sheinemail_com*'
)
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or not headers.auth_summary.dmarc.pass
or not headers.auth_summary.spf.pass
)
attack_types:
- "Credential Phishing"
- "Spam"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "b5843f22-9b49-56a0-a6db-259920a0c7fa"