High Severity

Brand impersonation: Paperless Post

Labels

Credential Phishing

Malware/Ransomware

Description

Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication.

References

No references.

Sublime Security

Created Nov 6th, 2025 • Last updated Nov 6th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and strings.contains(body.html.raw, 'ppassets.com')
and length(filter(html.xpath(body.html, '//img/@src').nodes,
                  // calling parse_url allows url decoding to help us
                  strings.parse_url(.raw).domain.root_domain == 'ppassets.com'
           )
) >= 2
and length(filter(body.links,
                  .href_url.domain.domain == "links.paperlesspost.com"
                  or (
                    .href_url.domain.root_domain == "paperlesspost.com"
                    and strings.istarts_with(.href_url.path, '/go/')
                  )
           )
) < 2
and not (
  (subject.is_forward or subject.is_reply)
  and (
    (length(headers.references) != 0 or headers.in_reply_to is not null)
    or length(body.previous_threads) > 0
  )
)
and not (
  sender.email.domain.root_domain == "paperlesspost.com"
  and headers.auth_summary.dmarc.pass
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.