Medium Severity
Brand Impersonation: AliExpress
Description
Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.
References
No references.
Sublime Security
Created Apr 28th, 2025 • Last updated Apr 28th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
// the address in the footer
strings.icontains(body.current_thread.text,
'26/F Tower One, Times Square, 1 Matheson Street, Causeway Bay'
)
// the social links in the footer
or (
length(filter(body.links,
strings.icontains(.href_url.url,
'https://www.facebook.com/aliexpressbr'
)
or strings.icontains(.href_url.url,
'https://twitter.com/aliexpressbr'
)
or strings.icontains(.href_url.url,
'https://www.youtube.com/user/AliExpressChannel'
)
or strings.icontains(.href_url.url,
'https://www.instagram.com/aliexpressbr'
)
// whatsapp
or strings.icontains(.href_url.url,
'https://wa.me/8657186563839'
)
// messenger
or strings.icontains(.href_url.url, 'https://m.me/AliExpress')
)
) >= 4
)
)
// not from AliExpress or Alibaba
and not (
sender.email.domain.root_domain in ("aliexpress.com", "alibaba.com")
and headers.auth_summary.dmarc.pass
)
// did not traverse the parent org's mail server
and not (any(headers.domains, .root_domain in ('aliyun-inc.com')))
Playground
Test against your own EMLs or sample data.