← Back to Explore
sublimelowRule
Brand impersonation: DHL
Impersonation of the shipping provider DHL.
Detection Query
type.inbound
and (
regex.icontains(sender.display_name, '\bDHL\b')
or (
strings.ilike(sender.email.domain.domain, '*DHL*')
and length(sender.email.domain.domain) < 15
)
or strings.ilike(subject.subject, '*DHL notification*')
or regex.icontains(subject.subject, 'dhl? express')
or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
or (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Shipping and Package" and .confidence == "high"
)
and strings.contains(body.current_thread.text, 'DHL ')
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org"
and (
.text =~ "DHL"
or .text =~ "DHL Express"
or strings.istarts_with(.text, "DHL International")
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "DHL" and .confidence in ("medium", "high")
)
or regex.icontains(body.current_thread.text, '\bDHL\b')
// it contains a QR code
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
beta.scan_qr(file.message_screenshot()).found
and any(beta.scan_qr(file.message_screenshot()).items, .type == "url")
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
or strings.ilike(beta.ocr(file.message_screenshot()).text,
"*package*",
"*parcel*",
"*shipping*",
"*delivery*",
"*track*"
)
or strings.ilike(body.current_thread.text,
"*package*",
"*parcel*",
"*shipping*",
"*delivery*",
"*track*"
)
)
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "RES:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
)
)
)
or length(headers.references) == 0
)
and sender.email.domain.root_domain not in~ (
'dhl.com',
'dhl-news.com',
'bdhllp.com',
'dhlecommerce.co.uk',
'dhlparcel.co.uk',
'dhlecs.com',
'dhl.co.uk',
'dhl.co.tz',
'dpdhl.com',
'dhl.de',
'dhl.fr',
'dhl.pl',
'dhlexpress.fr', // legit dhl site
'dhlending.com',
'inmotion.dhl',
'dhlparcel.nl',
'dhltariff.co.uk',
'dhlindia-kyc.com',
'dpogroup.com',
'4flow-service.com', // shipping service
'leaders-in-logistics.com', // legit sight for leadership webinar events
'deutschepost.de', // German postal service
'dhlecommerce.nl',
'dhl.nl',
'adhlawfirm.com', // similar name but unrelated
'attendhlth.com', // dhl in domain but unrelated
'tdhlaw.com', // dhl in domain but unrelated
'hapibenefits.com', // DHL rewards program
'dhlgpi.com', // DHL Australia
'dhlfreight-news.com'
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Brand impersonation: DHL"
description: |
Impersonation of the shipping provider DHL.
references:
- "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
- "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
type: "rule"
severity: "low"
source: |
type.inbound
and (
regex.icontains(sender.display_name, '\bDHL\b')
or (
strings.ilike(sender.email.domain.domain, '*DHL*')
and length(sender.email.domain.domain) < 15
)
or strings.ilike(subject.subject, '*DHL notification*')
or regex.icontains(subject.subject, 'dhl? express')
or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
or (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Shipping and Package" and .confidence == "high"
)
and strings.contains(body.current_thread.text, 'DHL ')
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org"
and (
.text =~ "DHL"
or .text =~ "DHL Express"
or strings.istarts_with(.text, "DHL International")
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "DHL" and .confidence in ("medium", "high")
)
or regex.icontains(body.current_thread.text, '\bDHL\b')
// it contains a QR code
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
beta.scan_qr(file.message_screenshot()).found
and any(beta.scan_qr(file.message_screenshot()).items, .type == "url")
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
or strings.ilike(beta.ocr(file.message_screenshot()).text,
"*package*",
"*parcel*",
"*shipping*",
"*delivery*",
"*track*"
)
or strings.ilike(body.current_thread.text,
"*package*",
"*parcel*",
"*shipping*",
"*delivery*",
"*track*"
)
)
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "RES:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
)
)
)
or length(headers.references) == 0
)
and sender.email.domain.root_domain not in~ (
'dhl.com',
'dhl-news.com',
'bdhllp.com',
'dhlecommerce.co.uk',
'dhlparcel.co.uk',
'dhlecs.com',
'dhl.co.uk',
'dhl.co.tz',
'dpdhl.com',
'dhl.de',
'dhl.fr',
'dhl.pl',
'dhlexpress.fr', // legit dhl site
'dhlending.com',
'inmotion.dhl',
'dhlparcel.nl',
'dhltariff.co.uk',
'dhlindia-kyc.com',
'dpogroup.com',
'4flow-service.com', // shipping service
'leaders-in-logistics.com', // legit sight for leadership webinar events
'deutschepost.de', // German postal service
'dhlecommerce.nl',
'dhl.nl',
'adhlawfirm.com', // similar name but unrelated
'attendhlth.com', // dhl in domain but unrelated
'tdhlaw.com', // dhl in domain but unrelated
'hapibenefits.com', // DHL rewards program
'dhlgpi.com', // DHL Australia
'dhlfreight-news.com'
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"