[PR #3457] added rule: Brand impersonation: Paperless Post

Author: github-actions[bot]

detection-rules/3457_brand_impersonation_paperlesspost.yml

@@ -0,0 +1,41 @@
+name: "Brand impersonation: Paperless Post"
+description: "Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and strings.contains(body.html.raw, 'ppassets.com')
+  and length(filter(html.xpath(body.html, '//img/@src').nodes,
+                    // calling parse_url allows url decoding to help us
+                    strings.parse_url(.raw).domain.root_domain == 'ppassets.com'
+             )
+  ) >= 2
+  and length(filter(body.links,
+                    .href_url.domain.domain == "links.paperlesspost.com"
+             )
+  ) < 3
+  and not (
+    (subject.is_forward or subject.is_reply)
+    and (length(headers.references) != 0 or headers.in_reply_to is not null)
+    and length(body.previous_threads) > 0
+  )
+  and not (
+    sender.email.domain.root_domain == "paperlesspost.com"
+    and headers.auth_summary.dmarc.pass
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "bc42e605-e209-565f-aa99-de14bf398910"
+og_id: "e9ec5e09-e50f-5d02-ad14-35a1a1442960"
+testing_pr: 3457
+testing_sha: e3fec67c8215b08a3dd27147b29f0ffda2d04c0d