• Sublime Core Feed
Low Severity

Fake shipping notification with link to free file hosting

Labels

Spam
Free file host
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Sender analysis

Description

This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 10th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) == 0
and (
  regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
                  '\bf[ _]?e[ _]?d[ _]?e[ _]?x\b'
  )
  and sender.email.domain.domain != "fedex.com"
  and headers.return_path.domain.domain != sender.email.domain.domain
  and any(body.links, strings.contains(.display_text, "track"))
  and length(body.links) < 10
)
and any(body.links,
        .href_url.domain.domain in $free_file_hosts
        or .href_url.domain.root_domain in $free_file_hosts
)
and (
  (
    sender.email.domain.root_domain in $free_email_providers
    and sender.email.email not in $sender_emails
  )
  or (
    sender.email.domain.root_domain not in $free_email_providers
    and sender.email.domain.root_domain not in $sender_domains
  )
  or sender.email.domain.valid == false
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started