EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand impersonation: Paperless Post

Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486T1598.003
initial-access

Detection Query

type.inbound
and strings.contains(body.html.raw, 'ppassets.com')
and length(filter(html.xpath(body.html, '//img/@src').nodes,
                  // calling parse_url allows url decoding to help us
                  strings.parse_url(.raw).domain.root_domain == 'ppassets.com'
           )
) >= 2
and length(filter(body.links,
                  .href_url.domain.domain == "links.paperlesspost.com"
                  or (
                    .href_url.domain.root_domain == "paperlesspost.com"
                    and strings.istarts_with(.href_url.path, '/go/')
                  )
           )
) < 2
and not (
  (subject.is_forward or subject.is_reply)
  and (
    (length(headers.references) != 0 or headers.in_reply_to is not null)
    or length(body.previous_threads) > 0
  )
)
and not (
  sender.email.domain.root_domain == "paperlesspost.com"
  and headers.auth_summary.dmarc.pass
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Paperless Post"
description: "Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication."
type: "rule"
severity: "high"
source: |
  type.inbound
  and strings.contains(body.html.raw, 'ppassets.com')
  and length(filter(html.xpath(body.html, '//img/@src').nodes,
                    // calling parse_url allows url decoding to help us
                    strings.parse_url(.raw).domain.root_domain == 'ppassets.com'
             )
  ) >= 2
  and length(filter(body.links,
                    .href_url.domain.domain == "links.paperlesspost.com"
                    or (
                      .href_url.domain.root_domain == "paperlesspost.com"
                      and strings.istarts_with(.href_url.path, '/go/')
                    )
             )
  ) < 2
  and not (
    (subject.is_forward or subject.is_reply)
    and (
      (length(headers.references) != 0 or headers.in_reply_to is not null)
      or length(body.previous_threads) > 0
    )
  )
  and not (
    sender.email.domain.root_domain == "paperlesspost.com"
    and headers.auth_summary.dmarc.pass
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Impersonation: Brand"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "HTML analysis"
  - "Sender analysis"
  - "URL analysis"
id: "e9ec5e09-e50f-5d02-ad14-35a1a1442960"