Brand impersonation: DigitalOcean
Impersonation of the cloud provider DigitalOcean.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DigitalOcean"
2description: |
3 Impersonation of the cloud provider DigitalOcean.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 sender.display_name =~ 'digitalocean'
10 or strings.ilevenshtein(sender.display_name, 'digitalocean') <= 2
11 or strings.ilike(sender.email.domain.domain, '*digitalocean*')
12 )
13 and sender.email.domain.root_domain not in (
14 'digitalocean.com',
15 'paperspace.com',
16 'coupahost.com' // third party supplier used by DigitalOcean
17 )
18 and (
19 not profile.by_sender().solicited
20 or (
21 profile.by_sender().any_messages_malicious_or_spam
22 and not profile.by_sender().any_messages_benign
23 )
24 )
25 and not profile.by_sender().any_messages_benign
26attack_types:
27 - "Credential Phishing"
28tactics_and_techniques:
29 - "Impersonation: Brand"
30 - "Lookalike domain"
31 - "Social engineering"
32detection_methods:
33 - "Header analysis"
34 - "Sender analysis"
35id: "7f2f0e97-b89f-54dd-9167-cbf1e55b112b"