Service abuse: DocSend share from an unsolicited reply-to address

 1name: "Service abuse: DocSend share from an unsolicited reply-to address"
 2description: "DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7
 8  // Legitimate DocSend sending infratructure
 9  and sender.email.email == "no-reply@docsend.com"
10  
11  // 
12  // This rule makes use of a beta feature and is subject to change without notice
13  // using the beta feature in custom rules is not suggested until it has been formally released
14  // 
15  
16  // reply-to address has never sent an email to the org
17  and beta.profile.by_reply_to().prevalence == "new"
18  
19  // reply-to email address has never been sent an email by the org
20  and not beta.profile.by_reply_to().solicited
21
22  // do not match if the reply_to address has been observed as a reply_to address
23  // of a message that has been classified as benign
24  and not beta.profile.by_reply_to().any_messages_benign  
25
26tags:
27 - "Attack surface reduction"
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Evasion"
32  - "Free file host"
33  - "Social engineering"
34detection_methods:
35  - "Content analysis"
36  - "Header analysis"
37  - "Sender analysis"
38id: "b377e64c-21bd-5040-86ec-534e545a42db"