Enhance USPS impersonation detection rule logic (#3445)

peterdj45 · aidenmitchell · web-flow · commit 8dc772385f05 · 2025-11-05T17:41:04.000Z
Co-authored-by: Aiden Mitchell &lt;me@aidenmitchell.ca&gt;
diff --git a/detection-rules/impersonation_usps.yml b/detection-rules/impersonation_usps.yml
@@ -4,7 +4,10 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-  and any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
+  and (
+    any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
+    or sender.display_name =~ "USPS"
+  )
   and length(body.links) > 0
   and 2 of (
     any(body.links,
