Sync from PR#2092

Update impersonation_dhl.yml by @zoomequipd
#2092
Source SHA 887850c
Triggered by @zoomequipd

detection-rules/impersonation_dhl.yml

@@ -0,0 +1,121 @@
+name: "Brand impersonation: DHL"
+description: |
+  Impersonation of the shipping provider DHL.
+references:
+  - "https://www.helpnetsecurity.com/2020/08/21/q2-2020-email-security-trends/"
+  - "https://www.dhl.com/ca-en/home/footer/fraud-awareness.html"
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and (
+    regex.icontains(sender.display_name, '\bDHL\b')
+    or  (
+    strings.ilike(sender.email.domain.domain, '*DHL*')
+      and length(sender.email.domain.domain) > 15
+    )
+    or strings.icontains(sender.email.local_part, "DHL")
+    or strings.ilike(subject.subject, '*DHL notification*')
+    or regex.contains(subject.subject, '\bD.{0,2}H.{0,2}L.{0,2}\b')
+  )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
+    or any(ml.nlu_classifier(body.current_thread.text).entities,
+           .name == "org" and .text =~ "DHL"
+    )
+    or any(ml.logo_detect(beta.message_screenshot()).brands,
+           .name == "DHL" and .confidence in ("medium", "high")
+    )
+    or regex.icontains(body.current_thread.text, '\bDHL\b')
+    or (
+      any(file.explode(beta.message_screenshot()),
+          strings.ilike(.scan.ocr.raw,
+                        "*package*",
+                        "*parcel*",
+                        "*shipping*",
+                        "*delivery*",
+                        "*track*"
+          )
+      )
+      or strings.ilike(body.current_thread.text,
+                       "*package*",
+                       "*parcel*",
+                       "*shipping*",
+                       "*delivery*",
+                       "*track*"
+      )
+    )
+  )
+  and (
+    (
+      (
+        length(headers.references) > 0
+        or not any(headers.hops,
+                   any(.fields, strings.ilike(.name, "In-Reply-To"))
+        )
+      )
+      and not (
+        (
+          strings.istarts_with(subject.subject, "RE:")
+          or strings.istarts_with(subject.subject, "RES:")
+          or strings.istarts_with(subject.subject, "R:")
+          or strings.istarts_with(subject.subject, "ODG:")
+          or strings.istarts_with(subject.subject, "答复:")
+          or strings.istarts_with(subject.subject, "AW:")
+          or strings.istarts_with(subject.subject, "TR:")
+          or strings.istarts_with(subject.subject, "FWD:")
+          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
+        )
+      )
+    )
+    or length(headers.references) == 0
+  )
+  and sender.email.domain.root_domain not in~ (
+    'dhl.com',
+    'dhl-news.com',
+    'bdhllp.com',
+    'dhlecommerce.co.uk',
+    'dhlparcel.co.uk',
+    'dhlecs.com',
+    'dhl.co.uk',
+    'dhl.co.tz',
+    'dpdhl.com',
+    'dhl.de',
+    'dhl.fr',
+    'dhlexpress.fr', // legit dhl site
+    'dhlending.com',
+    'inmotion.dhl',
+    'dhlparcel.nl',
+    'dhltariff.co.uk',
+    'dhlindia-kyc.com',
+    'dpogroup.com',
+    '4flow-service.com'  // shipping service
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Lookalike domain"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
+testing_pr: 2092
+testing_sha: 887850c57ec5ab818ca244973935d850558b6dd3