Service Abuse: DocSend Share From an Unsolicited Reply-To Address

calendar Dec 18, 2024 · Attack surface reduction  ·
Share on: linkedin copy

DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Sublime rule (View on GitHub)

 1name: "Service Abuse: DocSend Share From an Unsolicited Reply-To Address"
 2description: "DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7
 8  // Legitimate DocSend sending infratructure
 9  and sender.email.email == "no-reply@docsend.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12
13  // the message needs to have a reply-to address
14  and length(headers.reply_to) > 0
15
16  // reply-to email address has never been sent an email by the org
17  and not (
18    any(headers.reply_to, .email.email in $recipient_emails)
19    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
20    or any(filter(headers.reply_to,
21                  // filter the list to only emails that are not in free_email_providers
22                  (
23                    .email.domain.domain not in $free_email_providers
24                    or .email.domain.root_domain not in $free_email_providers
25                  )
26           ),
27           .email.domain.domain in $recipient_domains
28    )
29  )
30  // reply-to address has never sent an email to the org
31  and not (
32    any(headers.reply_to, .email.email in $sender_emails)
33    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
34    or any(filter(headers.reply_to,
35                  // filter the list to only emails that are not in free_email_providers
36                  (
37                    .email.domain.domain not in $free_email_providers
38                    or .email.domain.root_domain not in $free_email_providers
39                  )
40           ),
41           .email.domain.domain in $sender_domains
42    )
43  )  
44tags:
45 - "Attack surface reduction"
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Evasion"
50  - "Free file host"
51  - "Social engineering"
52detection_methods:
53  - "Content analysis"
54  - "Header analysis"
55  - "Sender analysis"
56id: "b377e64c-21bd-5040-86ec-534e545a42db"

Related rules

to-top