diff --git a/detection-rules/spoof_ups.yml b/detection-rules/spoof_ups.yml
new file mode 100644
index 00000000000..7755a13dedb
--- /dev/null
+++ b/detection-rules/spoof_ups.yml
@@ -0,0 +1,14 @@
+name: "Brand spoof: UPS"
+description: |
+  Impersonation of United Parcel Service (UPS) a multinational package delivery and supply chain management company, a file sharing service; specifically spoofs the UPS sender domain.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.domain.root_domain == 'ups.com'
+  and any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail"))
+tags:
+  - "Brand impersonation"
+  - "Suspicious sender"
+testing_pr: 480
+testing_sha: 0c91c3bda233f2767910bbc557b55ab94a0576cb