From 151c877c2f612eae50e78166ae775b5b655e9e7d Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 31 Oct 2025 16:51:36 -0500 Subject: [PATCH 1/4] Create brand_impersonation_paperlesspost.yml --- .../brand_impersonation_paperlesspost.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 detection-rules/brand_impersonation_paperlesspost.yml diff --git a/detection-rules/brand_impersonation_paperlesspost.yml b/detection-rules/brand_impersonation_paperlesspost.yml new file mode 100644 index 00000000000..56b67574d38 --- /dev/null +++ b/detection-rules/brand_impersonation_paperlesspost.yml @@ -0,0 +1,37 @@ +name: "Brand impersonation: Paperless Post" +description: "Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication." +type: "rule" +severity: "high" +source: | + type.inbound + and strings.contains(body.html.raw, 'ppassets.com') + and length(filter(html.xpath(body.html, '//img/@src').nodes, + // calling parse_url allows url decoding to help us + strings.parse_url(.raw).domain.root_domain == 'ppassets.com' + ) + ) >= 2 + and length(filter(body.links, + .href_url.domain.domain == "links.paperlesspost.com" + ) + ) < 3 + and not ( + (subject.is_forward or subject.is_reply) + and (length(headers.references) != 0 or headers.in_reply_to is not null) + and length(body.previous_threads) > 0 + ) + and not ( + sender.email.domain.root_domain == "paperlesspost.com" + and headers.auth_summary.dmarc.pass + ) + +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Brand" +detection_methods: + - "Content analysis" + - "Header analysis" + - "HTML analysis" + - "Sender analysis" + - "URL analysis" From e3fec67c8215b08a3dd27147b29f0ffda2d04c0d Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 31 Oct 2025 21:57:06 +0000 Subject: [PATCH 2/4] Auto add rule ID --- detection-rules/brand_impersonation_paperlesspost.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/brand_impersonation_paperlesspost.yml b/detection-rules/brand_impersonation_paperlesspost.yml index 56b67574d38..383cff12fd4 100644 --- a/detection-rules/brand_impersonation_paperlesspost.yml +++ b/detection-rules/brand_impersonation_paperlesspost.yml @@ -35,3 +35,4 @@ detection_methods: - "HTML analysis" - "Sender analysis" - "URL analysis" +id: "e9ec5e09-e50f-5d02-ad14-35a1a1442960" From 781e64c32d8a4795ef65255b70858f7b5e817af9 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Tue, 4 Nov 2025 19:29:26 -0600 Subject: [PATCH 3/4] Update brand_impersonation_paperlesspost.yml --- detection-rules/brand_impersonation_paperlesspost.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/detection-rules/brand_impersonation_paperlesspost.yml b/detection-rules/brand_impersonation_paperlesspost.yml index 383cff12fd4..572bfee901e 100644 --- a/detection-rules/brand_impersonation_paperlesspost.yml +++ b/detection-rules/brand_impersonation_paperlesspost.yml @@ -12,8 +12,12 @@ source: | ) >= 2 and length(filter(body.links, .href_url.domain.domain == "links.paperlesspost.com" + or ( + .href_url.domain.root_domain == "paperlesspost.com" + and strings.istarts_with(.href_url.path, '/go/') + ) ) - ) < 3 + ) < 2 and not ( (subject.is_forward or subject.is_reply) and (length(headers.references) != 0 or headers.in_reply_to is not null) @@ -23,7 +27,6 @@ source: | sender.email.domain.root_domain == "paperlesspost.com" and headers.auth_summary.dmarc.pass ) - attack_types: - "Credential Phishing" - "Malware/Ransomware" From 5c998d9cd2864b47845d0149fcb99e46c5c57824 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Thu, 6 Nov 2025 15:13:38 -0600 Subject: [PATCH 4/4] Update brand_impersonation_paperlesspost.yml --- detection-rules/brand_impersonation_paperlesspost.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/detection-rules/brand_impersonation_paperlesspost.yml b/detection-rules/brand_impersonation_paperlesspost.yml index 572bfee901e..4154664225b 100644 --- a/detection-rules/brand_impersonation_paperlesspost.yml +++ b/detection-rules/brand_impersonation_paperlesspost.yml @@ -20,8 +20,10 @@ source: | ) < 2 and not ( (subject.is_forward or subject.is_reply) - and (length(headers.references) != 0 or headers.in_reply_to is not null) - and length(body.previous_threads) > 0 + and ( + (length(headers.references) != 0 or headers.in_reply_to is not null) + or length(body.previous_threads) > 0 + ) ) and not ( sender.email.domain.root_domain == "paperlesspost.com"