Service Abuse: DocSend Share From an Unsolicited Reply-To Address
DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
Sublime rule (View on GitHub)
1name: "Service Abuse: DocSend Share From an Unsolicited Reply-To Address"
2description: "DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // Legitimate DocSend sending infratructure
9 and sender.email.email == "no-reply@docsend.com"
10 and headers.auth_summary.spf.pass
11 and headers.auth_summary.dmarc.pass
12
13 //
14 // This rule makes use of a beta feature and is subject to change without notice
15 // using the beta feature in custom rules is not suggested until it has been formally released
16 //
17
18 // reply-to address has never sent an email to the org
19 and beta.profile.by_reply_to().prevalence == "new"
20
21 // reply-to email address has never been sent an email by the org
22 and not beta.profile.by_reply_to().solicited
23
24 // do not match if the reply_to address has been observed as a reply_to address
25 // of a message that has been classified as benign
26 and not beta.profile.by_reply_to().any_messages_benign
27
28tags:
29 - "Attack surface reduction"
30attack_types:
31 - "Credential Phishing"
32tactics_and_techniques:
33 - "Evasion"
34 - "Free file host"
35 - "Social engineering"
36detection_methods:
37 - "Content analysis"
38 - "Header analysis"
39 - "Sender analysis"
40id: "b377e64c-21bd-5040-86ec-534e545a42db"
Related rules
- Service Abuse: DocuSign Share From an Unsolicited Reply-To Address
- Service Abuse: Dropbox Share From New Domain
- Service Abuse: Dropbox Share From an Unsolicited Reply-To Address
- Service Abuse: Google Drive Share From an Unsolicited Reply-To Address
- Service Abuse: QuickBooks Notification From New Domain