Create brand_impersonation_greenvelope.yml (#3487)

zoomequipd · ID Generator · aidenmitchell · web-flow · commit b8eb748db24d · 2025-12-01T14:42:40.000Z
Co-authored-by: ID Generator &lt;hello@sublimesecurity.com&gt;
Co-authored-by: Aiden Mitchell &lt;me@aidenmitchell.ca&gt;
diff --git a/detection-rules/brand_impersonation_greenvelope.yml b/detection-rules/brand_impersonation_greenvelope.yml
@@ -0,0 +1,68 @@
+name: "Brand impersonation: Greenvelope"
+description: "Detects messages impersonating Greenvelope invitations not originating from legitimate Greenvelope domain."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // Looking for greenvelope phrasing or indicators in HTML
+  and (
+    strings.icontains(body.html.inner_text, "Powered by greenvelope")
+  
+    // Look for alt text in HTML for standardized greenvelope formatting if string is not avail.
+    or strings.icontains(body.html.raw, 'alt="Greenvelope"')
+    or strings.icontains(body.html.raw,
+                         'https://www.greenvelope.com/viewer/envelope.ashx'
+    )
+    or strings.icontains(body.current_thread.text, '© 2025 Greenvelope, LLC')
+    or strings.icontains(body.current_thread.text,
+                         '8 The Green #8901, Dover, DE 19901'
+    )
+  )
+  
+  // no links going to greenvlope cards/"admin" links
+  and length(filter(body.links,
+                    .href_url.domain.root_domain == "greenvelope.com"
+                    and (
+                      // card links
+                      strings.istarts_with(.href_url.path, '/card/')
+                      // user links are links for the person that created the card
+                      or strings.istarts_with(.href_url.path, '/user/')
+                    )
+             )
+  ) == 0
+  
+  // Legitimate sender will be from greenvelope, negating known non-associated domains.
+  and not (
+    (
+      sender.email.domain.root_domain in (
+        "greenvelope.com",
+        'greenvelope-email.com'
+      )
+      and headers.auth_summary.spf.pass
+    )
+    or headers.return_path.domain.root_domain in (
+      "greenvelope.com",
+      'greenvelope-email.com'
+    )
+  )
+  
+  // avoid fwd/replies
+  and not (
+    subject.is_forward 
+    or subject.is_reply
+    or length(headers.references) != 0 
+    or headers.in_reply_to is not null
+    or length(body.previous_threads) > 0
+  )
+  
+  // Capping length to limit FP's
+  and length(body.current_thread.text) < 1500
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "9cbbf9b8-a44a-5d86-8caa-3aef898841c1"
