[PR #3460] added rule: Brand impersonation: DHL

github-actions[bot] · github-actions[bot] · commit 3a9b6d745233 · 2025-11-03T15:32:08.000Z
diff --git a/detection-rules/3460_impersonation_dhl.yml b/detection-rules/3460_impersonation_dhl.yml
@@ -0,0 +1,140 @@
+name: "Brand impersonation: DHL"
+description: |
+  Impersonation of the shipping provider DHL.
+references:
+  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
+  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and (
+    regex.icontains(sender.display_name, '\bDHL\b')
+    or (
+      strings.ilike(sender.email.domain.domain, '*DHL*')
+      and length(sender.email.domain.domain) < 15
+    )
+    or strings.ilike(subject.subject, '*DHL notification*')
+    or strings.icontains(body.current_thread.text, 'DHL International')
+    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
+  )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
+    or any(ml.nlu_classifier(body.current_thread.text).entities,
+           .name == "org" and .text =~ "DHL"
+    )
+    or any(ml.logo_detect(file.message_screenshot()).brands,
+           .name == "DHL" and .confidence in ("medium", "high")
+    )
+    or regex.icontains(body.current_thread.text, '\bDHL\b')
+    // it contains a QR code
+    or (
+      //
+      // This rule makes use of a beta feature and is subject to change without notice
+      // using the beta feature in custom rules is not suggested until it has been formally released
+      //
+      beta.scan_qr(file.message_screenshot()).found
+      and any(beta.scan_qr(file.message_screenshot()).items, .type == "url")
+    )
+    //
+    // This rule makes use of a beta feature and is subject to change without notice
+    // using the beta feature in custom rules is not suggested until it has been formally released
+    //
+    or strings.ilike(beta.ocr(file.message_screenshot()).text,
+                     "*package*",
+                     "*parcel*",
+                     "*shipping*",
+                     "*delivery*",
+                     "*track*"
+    )
+    or strings.ilike(body.current_thread.text,
+                     "*package*",
+                     "*parcel*",
+                     "*shipping*",
+                     "*delivery*",
+                     "*track*"
+    )
+  )
+  and (
+    (
+      (
+        length(headers.references) > 0
+        or not any(headers.hops,
+                   any(.fields, strings.ilike(.name, "In-Reply-To"))
+        )
+      )
+      and not (
+        (
+          strings.istarts_with(subject.subject, "RE:")
+          or strings.istarts_with(subject.subject, "RES:")
+          or strings.istarts_with(subject.subject, "R:")
+          or strings.istarts_with(subject.subject, "ODG:")
+          or strings.istarts_with(subject.subject, "答复:")
+          or strings.istarts_with(subject.subject, "AW:")
+          or strings.istarts_with(subject.subject, "TR:")
+          or strings.istarts_with(subject.subject, "FWD:")
+          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
+        )
+      )
+    )
+    or length(headers.references) == 0
+  )
+  and sender.email.domain.root_domain not in~ (
+    'dhl.com',
+    'dhl-news.com',
+    'bdhllp.com',
+    'dhlecommerce.co.uk',
+    'dhlparcel.co.uk',
+    'dhlecs.com',
+    'dhl.co.uk',
+    'dhl.co.tz',
+    'dpdhl.com',
+    'dhl.de',
+    'dhl.fr',
+    'dhl.pl',
+    'dhlexpress.fr', // legit dhl site
+    'dhlending.com',
+    'inmotion.dhl',
+    'dhlparcel.nl',
+    'dhltariff.co.uk',
+    'dhlindia-kyc.com',
+    'dpogroup.com',
+    '4flow-service.com', // shipping service
+    'leaders-in-logistics.com', // legit sight for leadership webinar events
+    'deutschepost.de', // German postal service
+    'dhlecommerce.nl',
+    'dhl.nl',
+    'adhlawfirm.com', // similar name but unrelated
+    'attendhlth.com', // dhl in domain but unrelated
+    'tdhlaw.com' // dhl in domain but unrelated
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Lookalike domain"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "eb1260d6-be8b-5efc-b612-9d630f04fecb"
+og_id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
+testing_pr: 3460
+testing_sha: 171a7b68b768865dda56ccbd0c0a38a76b26eb91
