Skip to content

Create brand_impersonation_greenvelope.yml #3487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zoomequipd merged 9 commits into from
Dec 1, 2025
+68 −0
Merged

Create brand_impersonation_greenvelope.yml #3487

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c49bb4a
Create brand_impersonation_greenvelope.yml
zoomequipd Nov 6, 2025
a159b8b
Update brand_impersonation_greenvelope.yml
zoomequipd Nov 6, 2025
8407f12
Update brand_impersonation_greenvelope.yml
zoomequipd Nov 6, 2025
04d5212
Auto add rule ID
Nov 6, 2025
3d5f974
Update brand_impersonation_greenvelope.yml
zoomequipd Nov 8, 2025
f690e7e
Update brand_impersonation_greenvelope.yml
zoomequipd Nov 12, 2025
7e33c77
Update brand_impersonation_greenvelope.yml
zoomequipd Nov 18, 2025
09afcaf
Update detection-rules/brand_impersonation_greenvelope.yml
zoomequipd Nov 25, 2025
fe652c4
Update detection-rules/brand_impersonation_greenvelope.yml
zoomequipd Nov 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions detection-rules/brand_impersonation_greenvelope.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: "Brand impersonation: Greenvelope"
description: "Detects messages impersonating Greenvelope invitations not originating from legitimate Greenvelope domain."
type: "rule"
severity: "medium"
source: |
type.inbound
// Looking for greenvelope phrasing or indicators in HTML
and (
strings.icontains(body.html.inner_text, "Powered by greenvelope")

// Look for alt text in HTML for standardized greenvelope formatting if string is not avail.
or strings.icontains(body.html.raw, 'alt="Greenvelope"')
or strings.icontains(body.html.raw,
'https://www.greenvelope.com/viewer/envelope.ashx'
)
or strings.icontains(body.current_thread.text, '© 2025 Greenvelope, LLC')
or strings.icontains(body.current_thread.text,
'8 The Green #8901, Dover, DE 19901'
)
)

// no links going to greenvlope cards/"admin" links
and length(filter(body.links,
.href_url.domain.root_domain == "greenvelope.com"
and (
// card links
strings.istarts_with(.href_url.path, '/card/')
// user links are links for the person that created the card
or strings.istarts_with(.href_url.path, '/user/')
)
)
) == 0

// Legitimate sender will be from greenvelope, negating known non-associated domains.
and not (
(
sender.email.domain.root_domain in (
"greenvelope.com",
'greenvelope-email.com'
)
and headers.auth_summary.spf.pass
)
or headers.return_path.domain.root_domain in (
"greenvelope.com",
'greenvelope-email.com'
)
)

// avoid fwd/replies
and not (
subject.is_forward
or subject.is_reply
or length(headers.references) != 0
or headers.in_reply_to is not null
or length(body.previous_threads) > 0
)

// Capping length to limit FP's
and length(body.current_thread.text) < 1500
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
id: "9cbbf9b8-a44a-5d86-8caa-3aef898841c1"
Loading