• Sublime Core Feed
High Severity

Brand impersonation: USPS

Labels

Credential Phishing
Image as content
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Natural Language Understanding
Sender analysis

Description

Impersonation of the United States Postal Service.

References

No references.

Sublime Security
Created Feb 12th, 2024 • Last updated Feb 13th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
  or strings.icontains(sender.display_name, "USPS")
  or regex.contains(body.html.display_text, 'USPS\s*\.\s*COM')
)
and length(body.links) > 0
and 3 of (
  any(body.links,
      strings.ilike(.display_text,
                    "*check now*",
                    "*track*",
                    "*package*",
                    '*view your order*'
      )
  ),
  strings.ilike(body.current_thread.text,
                "*returned*to*sender*",
                "*redelivery*",
                '*USPS promotions*',
                '*review your package*',
                '*receiver address*',
                '*sorry tolet*',
                '*Due to an incorrect*'
  ),
  // impersonal greeting
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "recipient" and .text =~ "Customer"
  ),
  // free email sender
  sender.email.domain.root_domain in $free_email_providers,
  // contains link to recently registered domain
  any(body.links, network.whois(.href_url.domain).days_old < 15),
  (
    regex.icontains(strings.replace_confusables(body.html.display_text),
                    '\b(?:u.?s.?p.?s|shipping|delivery)\b'
    )
    and not regex.icontains(body.html.display_text,
                            '\b(?:usps|shipping|delivery)\b'
    )
  )
)
and (
  sender.email.domain.root_domain not in (
    "usps.com",
    "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
    "shipup.co", // third party shipping company
    "withings.com" // third party shipping company
  )
  or (
    sender.email.domain.root_domain in (
      "usps.com",
      "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
    )
    and not headers.auth_summary.dmarc.pass
  )
)
// negate newsletters
and not (
  length(body.links) > 20
  or any(ml.nlu_classifier(body.html.display_text).topics,
         .name == "Newsletters and Digests"
  )
)
// not all links to usps.com
and not all(body.links, .href_url.domain.root_domain == "usps.com")
// negate legit forwards and replies
and not (
  (subject.is_reply or subject.is_forward)
  and length(body.previous_threads) > 0
  and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not any(body.links,
            regex.icontains(.display_text, 'Track (?:Your Order|Shipment)')
            and .href_url.domain.domain == 'tools.usps.com'
)
and not sender.email.domain.root_domain in ('shopifyemail.com')
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started