Create brand_impersonation_paperlesspost.yml

detection-rules/brand_impersonation_paperlesspost.yml

@@ -0,0 +1,43 @@
+name: "Brand impersonation: Paperless Post"
+description: "Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and strings.contains(body.html.raw, 'ppassets.com')
+  and length(filter(html.xpath(body.html, '//img/@src').nodes,
+                    // calling parse_url allows url decoding to help us
+                    strings.parse_url(.raw).domain.root_domain == 'ppassets.com'
+             )
+  ) >= 2
+  and length(filter(body.links,
+                    .href_url.domain.domain == "links.paperlesspost.com"
+                    or (
+                      .href_url.domain.root_domain == "paperlesspost.com"
+                      and strings.istarts_with(.href_url.path, '/go/')
+                    )
+             )
+  ) < 2
+  and not (
+    (subject.is_forward or subject.is_reply)
+    and (
+      (length(headers.references) != 0 or headers.in_reply_to is not null)
+      or length(body.previous_threads) > 0
+    )
+  )
+  and not (
+    sender.email.domain.root_domain == "paperlesspost.com"
+    and headers.auth_summary.dmarc.pass
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "e9ec5e09-e50f-5d02-ad14-35a1a1442960"