[Test Rules] [PR #4316] added rule: Brand impersonation: USPS

Author: github-actions[bot]

detection-rules/4316_impersonation_usps.yml

@@ -0,0 +1,110 @@
+name: "Brand impersonation: USPS"
+description: "Impersonation of the United States Postal Service."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
+    or strings.icontains(sender.display_name, "USPS")
+    or regex.contains(body.html.display_text, 'USPS\s*\.\s*COM')
+    or strings.icontains(body.current_thread.text, 'USPS Delivery Team')
+  )
+  and length(body.links) > 0
+  and 3 of (
+    any(body.links,
+        strings.ilike(.display_text,
+                      "*check now*",
+                      "*track*",
+                      "*package*",
+                      '*view your order*',
+                      "*update*"
+        )
+    ),
+    strings.ilike(body.current_thread.text,
+                  "*returned*to*sender*",
+                  "*redelivery*",
+                  '*USPS promotions*',
+                  '*review your package*',
+                  '*receiver address*',
+                  '*sorry tolet*',
+                  '*Due to an incorrect*'
+    ),
+    // impersonal greeting
+    any(ml.nlu_classifier(body.current_thread.text).entities,
+        .name == "recipient" and .text =~ "Customer"
+    ),
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence != "low"
+    ),
+    // free email sender
+    sender.email.domain.root_domain in $free_email_providers,
+    // contains link to recently registered domain
+    any(body.links, network.whois(.href_url.domain).days_old < 15),
+    (
+      regex.icontains(strings.replace_confusables(body.html.display_text),
+                      '\b(?:u.?s.?p.?s|shipping|delivery)\b'
+      )
+      and not regex.icontains(body.html.display_text,
+                              '\b(?:usps|shipping|delivery)\b'
+      )
+    )
+  )
+  and (
+    sender.email.domain.root_domain not in (
+      "usps.com",
+      "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
+      "shipup.co", // third party shipping company
+      "withings.com" // third party shipping company
+    )
+    or (
+      sender.email.domain.root_domain in (
+        "usps.com",
+        "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
+      )
+      and not headers.auth_summary.dmarc.pass
+    )
+  )
+  // negate newsletters
+  and not (
+    length(body.links) > 20
+    or any(ml.nlu_classifier(body.html.display_text).topics,
+           .name == "Newsletters and Digests"
+    )
+  )
+  // not all links to usps.com
+  and not all(body.links, .href_url.domain.root_domain == "usps.com")
+  // negate legit forwards and replies
+  and not (
+    (subject.is_reply or subject.is_forward)
+    and length(body.previous_threads) > 0
+    and (length(headers.references) > 0 or headers.in_reply_to is not null)
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not any(body.links,
+              regex.icontains(.display_text, 'Track (?:Your Order|Shipment)')
+              and .href_url.domain.domain == 'tools.usps.com'
+  )
+  and not sender.email.domain.root_domain in ('shopifyemail.com')
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Image as content"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "9dd9ffb2-d6b7-5680-9f65-4037eeed994b"
+og_id: "28b9130a-d8e0-50af-97c9-c1b8f4c46d68"
+testing_pr: 4316
+testing_sha: 12c57bb387bdd43c2e6caf28823c68a4d897a689