Brand impersonation: DigitalOcean

Impersonation of the cloud provider DigitalOcean.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DigitalOcean"
 2description: |
 3    Impersonation of the cloud provider DigitalOcean.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    sender.display_name =~ 'digitalocean'
10    or strings.ilevenshtein(sender.display_name, 'digitalocean') <= 2
11    or strings.ilike(sender.email.domain.domain, '*digitalocean*')
12  )
13  and sender.email.domain.root_domain not in (
14    'digitalocean.com',
15    'paperspace.com',
16    'coupahost.com' // third party supplier used by DigitalOcean 
17  )
18  and (
19    not profile.by_sender().solicited
20    or (
21      profile.by_sender().any_messages_malicious_or_spam
22      and not profile.by_sender().any_messages_benign
23    )
24  )
25  and not profile.by_sender().any_messages_benign  
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Impersonation: Brand"
30  - "Lookalike domain"
31  - "Social engineering"
32detection_methods:
33  - "Header analysis"
34  - "Sender analysis"
35id: "7f2f0e97-b89f-54dd-9167-cbf1e55b112b"
to-top