High Severity
Brand impersonation: USPS
Description
Impersonation of the United States Postal Service.
References
No references.
Sublime Security
Created Feb 12th, 2024 • Last updated Dec 16th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "USPS")
and length(body.links) > 0
and 2 of (
any(body.links,
strings.ilike(.display_text,
"*check now*",
"*track*",
"*package*",
'*view your order*'
)
),
strings.ilike(body.current_thread.text,
"*returned*to*sender*",
"*redelivery*"
),
// impersonal greeting
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "recipient" and .text =~ "Customer"
),
// no links go to usps.com
all(body.links, .href_url.domain.root_domain != "usps.com")
)
and (
sender.email.domain.root_domain not in (
"usps.com",
"opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
)
or (
sender.email.domain.root_domain in (
"usps.com",
"opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
)
and not headers.auth_summary.dmarc.pass
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.