Brand impersonation: Digital Ocean

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Impersonation of the cloud provider Digital Ocean.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Digital Ocean"
 2description: |
 3    Impersonation of the cloud provider Digital Ocean.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    sender.display_name =~ 'digitalocean'
10    or strings.ilevenshtein(sender.display_name, 'digitalocean') <= 2
11    or strings.ilike(sender.email.domain.domain, '*digitalocean*')
12  )
13  and sender.email.domain.root_domain !~ 'digitalocean.com'
14  and sender.email.email not in $recipient_emails  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Impersonation: Brand"
19  - "Lookalike domain"
20  - "Social engineering"
21detection_methods:
22  - "Header analysis"
23  - "Sender analysis"
24id: "7f2f0e97-b89f-54dd-9167-cbf1e55b112b"
to-top