Skip to content

Commit e86e797

Browse files
[Test Rules] [PR #4633] modified rule: Brand impersonation: UPS
1 parent 672dcae commit e86e797

1 file changed

Lines changed: 4 additions & 4 deletions

File tree

detection-rules/4633_impersonation_ups.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: "Brand Impersonation: UPS Delivery"
1+
name: "Brand impersonation: UPS"
22
description: |
33
Detects messages impersonating UPS (United Parcel Service) through display name, email address patterns, subject content, or HTML styling that mimics UPS branding, while excluding legitimate UPS domains.
44
references:
@@ -11,8 +11,8 @@ source: |
1111
type.inbound
1212
and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
1313
and (
14-
sender.display_name in~ ("UPS My Choice", "UPS Services")
15-
or regex.icontains(sender.display_name, 'UPS-\w+')
14+
sender.display_name in~ ("UPS My Choice", "UPS Services", "Ups.com")
15+
or regex.icontains(sender.display_name, 'ups-\w+')
1616
or strings.ilike(sender.email.local_part, "*united*parcel*service*")
1717
or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
1818
or strings.icontains(subject.subject, 'UPS delivery')
@@ -55,4 +55,4 @@ detection_methods:
5555
id: "65eee471-2ab1-5264-9ce8-a404684b1cc8"
5656
og_id: "73b68869-5720-5dc3-b4bc-15730de972d8"
5757
testing_pr: 4633
58-
testing_sha: 9a541eec318bd3eb797c0c8d30c40ae8f740f8eb
58+
testing_sha: b1cd8fc04df9d6cd1983c580e00acbe7e55471e7

0 commit comments

Comments
 (0)