Service Abuse: DocSend Share From Newly Registered Domain

 1name: "Service Abuse: DocSend Share From Newly Registered Domain"
 2description: "This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate DocSend sending infratructure
 9  and sender.email.email == "no-reply@docsend.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12
13  // the message needs to have a reply-to address
14  and length(headers.reply_to) > 0
15  
16  // reply-to email address has never received an email from your org
17  and not any(headers.reply_to, .email.email in $recipient_emails)
18  
19  // new reply-to
20  and any(headers.reply_to,
21          network.whois(.email.domain).days_old < 30
22  )  
23tags:
24 - "Attack surface reduction"
25attack_types:
26  - "BEC/Fraud"
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Evasion"
30  - "Free file host"
31  - "Impersonation: Brand"
32  - "Social engineering"
33detection_methods:
34  - "Content analysis"
35  - "Header analysis"
36  - "Sender analysis"
37id: "3bc152f2-6722-57be-b924-055c35fa1e60"