Skip to content

Commit

Permalink
Sync from PR#480
Browse files Browse the repository at this point in the history 
New Rule: Brand Spoof: UPS by @morriscode
#480
Source SHA 0c91c3b
Triggered by @jkamdjou
  • Loading branch information
Sublime Rule Testing Bot committed Jun 13, 2023
1 parent c0274c1 commit 360835c
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions detection-rules/spoof_ups.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: "Brand spoof: UPS"
description: |
Impersonation of United Parcel Service (UPS) a multinational package delivery and supply chain management company, a file sharing service; specifically spoofs the UPS sender domain.
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.domain.root_domain == 'ups.com'
and any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail"))
tags:
- "Brand impersonation"
- "Suspicious sender"
testing_pr: 480
testing_sha: 0c91c3bda233f2767910bbc557b55ab94a0576cb

0 comments on commit 360835c

Please sign in to comment.