diff --git a/detection-rules/spoof_ups.yml b/detection-rules/spoof_ups.yml
new file mode 100644
index 00000000000..04e2e936a57
--- /dev/null
+++ b/detection-rules/spoof_ups.yml
@@ -0,0 +1,13 @@
+name: "Brand spoof: UPS"
+description: |
+  Impersonation of United Parcel Service (UPS) a multinational package delivery and supply chain management company, a file sharing service; specifically spoofs the UPS sender domain.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.domain.root_domain == 'ups.com'
+  and any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail"))
+tags: 
+  - "Brand impersonation"
+  - "Suspicious sender"
+id: "17d8bce8-be2b-5c3a-8480-1e5013086654"