• Sublime Core Feed
Medium Severity

Brand Impersonation: PayPal

Labels

Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Computer Vision
Content analysis
File analysis
Header analysis
Sender analysis

Description

Impersonation of PayPal.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  strings.replace_confusables(sender.display_name) =~ "paypal"
  or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'paypal') <= 1
  or strings.ilike(strings.replace_confusables(sender.display_name), '*paypal*')
  or any(attachments,
         (.file_type in $file_types_images or .file_type == "pdf")
         and any(ml.logo_detect(.).brands, .name == "PayPal")
         and any(file.explode(.),
                 // exclude images taken with mobile cameras and screenshots from android
                 not any(.scan.exiftool.fields,
                         .key == "Model"
                         or (
                           .key == "Software"
                           and strings.starts_with(.value, "Android")
                         )
                 )
                 // exclude images taken with mobile cameras and screenshots from Apple
                 and not any(.scan.exiftool.fields,
                             .key == "DeviceManufacturer"
                             and .value == "Apple Computer Inc."
                 )
                 and strings.ilike(.scan.ocr.raw, "*PayPal*")
                 and strings.ilike(.scan.ocr.raw,
                                   "*invoice*",
                                   "*transaction*",
                                   "*bitcoin*",
                                   "*dear customer*",
                                   "*suspicious activity*"
                 )
         )
  )
  or (
    any(ml.logo_detect(beta.message_screenshot()).brands, .name == "PayPal")
    and strings.ilike(body.current_thread.text, "*PayPal*")
    and strings.ilike(body.current_thread.text,
                      "*invoice*",
                      "*transaction*",
                      "*bitcoin*",
                      "*dear customer*",
                      "*suspicious activity*"
    )
  )
)
and not any(beta.ml_topic(body.current_thread.text).topics,
          .name in~ (
            "Professional and Career Development",
            "Government Services"
          )
)
and sender.email.domain.root_domain not in (
  'google.com',
  'paypal-brandsfeedback.com',
  'paypal-creditsurvey.com',
  'paypal-customerfeedback.com',
  'paypal-experience.com',
  'paypal-prepaid.com',
  'paypal.at',
  'paypal.be',
  'paypal.ca',
  'paypal.ch',
  'paypal.co.br',
  'paypal.co.il',
  'paypal.co.uk',
  'paypal.com',
  'paypal.com.au',
  'paypal.com.mx',
  'paypal.com.sg',
  'paypal.de',
  'paypal.dk',
  'paypal.es',
  'paypal.fr',
  'paypal.hk',
  'paypal.it',
  'paypal.nl',
  'paypal.pl',
  'paypal.se',
  'paypalcorp.com',
  'q4inc.com',
  'synchrony.com',
  'synchronybank.com',
  'synchronyfinancial.com',
  'xoom.com',
  'zettle.com'
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started