Brand impersonation: DigitalOcean

calendar Aug 5, 2025  ยท
Share on: linkedin copy

Impersonation of the cloud provider DigitalOcean.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DigitalOcean"
 2description: |
 3    Impersonation of the cloud provider DigitalOcean.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    sender.display_name =~ 'digitalocean'
10    or strings.ilevenshtein(sender.display_name, 'digitalocean') <= 2
11    or strings.ilike(sender.email.domain.domain, '*digitalocean*')
12  )
13  and sender.email.domain.root_domain not in ('digitalocean.com', 'paperspace.com')
14  and (
15    not profile.by_sender().solicited
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_messages_benign
19    )
20  )
21  and not profile.by_sender().any_messages_benign  
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Impersonation: Brand"
26  - "Lookalike domain"
27  - "Social engineering"
28detection_methods:
29  - "Header analysis"
30  - "Sender analysis"
31id: "7f2f0e97-b89f-54dd-9167-cbf1e55b112b"
to-top