[PR #3487] modified rule: Brand impersonation: Greenvelope

github-actions[bot] · github-actions[bot] · commit c23b36bc93c9 · 2025-11-08T18:07:14.000Z
diff --git a/detection-rules/3487_brand_impersonation_greenvelope.yml b/detection-rules/3487_brand_impersonation_greenvelope.yml
@@ -6,18 +6,46 @@ source: |
   type.inbound
   // Looking for greenvelope phrasing or indicators in HTML
   and (
-    strings.icontains(body.current_thread.text, "greenvelope.com")
+    strings.icontains(body.html.inner_text, "Powered by greenvelope")
+  
     // Look for alt text in HTML for standardized greenvelope formatting if string is not avail.
     or strings.icontains(body.html.raw, 'alt="Greenvelope"')
     or strings.icontains(body.html.raw,
                          'https://www.greenvelope.com/viewer/envelope.ashx'
     )
+    or strings.icontains(body.current_thread.text, '© 2025 Greenvelope, LLC')
+    or strings.icontains(body.current_thread.text,
+                         '8 The Green #8901, Dover, DE 19901'
+    )
   )
+  
+  // no links going to greenvlope cards/"admin" links
+  and length(filter(body.links,
+                    .href_url.domain.root_domain == "greenvelope.com"
+                    and (
+                      // card links
+                      strings.istarts_with(.href_url.path, '/card/')
+                      // user links are links for the person that created the card
+                      or strings.istarts_with(.href_url.path, '/user/')
+                    )
+             )
+  ) == 0
+  
   // Legitimate sender will be from greenvelope, negating known non-associated domains.
   and not (
-    sender.email.domain.root_domain in ("greenvelope.com")
-    or headers.return_path.domain.root_domain in ("greenvelope.com")
+    (
+      sender.email.domain.root_domain in (
+        "greenvelope.com",
+        'greenvelope-email.com'
+      )
+      and headers.auth_summary.spf.pass
+    )
+    or headers.return_path.domain.root_domain in (
+      "greenvelope.com",
+      'greenvelope-email.com'
+    )
   )
+  
   // Capping length to limit FP's
   and length(body.current_thread.text) < 1500
 attack_types:
@@ -31,4 +59,4 @@ detection_methods:
 id: "07bf6342-6504-5dc2-b2d7-9a84556fd9d5"
 og_id: "9cbbf9b8-a44a-5d86-8caa-3aef898841c1"
 testing_pr: 3487
-testing_sha: 04d521242f8107cda620ba8226ff970d051e2237
+testing_sha: 3d5f974244663df2dfc5f9bf6a2d6c76f5204ef5
