Brand impersonation: Discord notification

calendar Oct 23, 2025  ·
Share on: linkedin copy

Detects inbound messages that impersonate Discord's notification system through display name spoofing, domain lookalikes, or logo usage in attachments. The messages contain typical Discord-style notification language in the subject line while failing authentication checks.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Discord notification"
 2description: "Detects inbound messages that impersonate Discord's notification system through display name spoofing, domain lookalikes, or logo usage in attachments. The messages contain typical Discord-style notification language in the subject line while failing authentication checks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(sender.display_name, '*discord*')
 9    or (
10      strings.ilevenshtein(sender.display_name, 'discord') <= 2
11      and sender.display_name not in~ ("discogs")
12    )
13    or strings.ilike(sender.email.domain.domain, '*discord*')
14    // Discord logo detection in image attachments
15    or any(attachments,
16           .file_type in $file_types_images
17           and any(ml.logo_detect(.).brands,
18                   .name == "Discord" and .confidence != "low"
19           )
20    )
21    // Discord logo detection in message screenshot
22    or any(ml.logo_detect(file.message_screenshot()).brands,
23           .name == "Discord" and .confidence != "low"
24    )
25  )
26  and (
27    strings.icontains(subject.subject, 'you have received a new notification')
28    or regex.icontains(subject.subject,
29                       '(?:(?:new|unread|missed|pending|discord)\s+)?(?:message|notification|alert|activity|call) (?:from|waiting|pending)',
30    )
31    or strings.icontains(subject.subject, 'friend request')
32    or strings.icontains(subject.subject, 'server invitation')
33    or strings.icontains(subject.subject, 'mentioned you')
34    or strings.icontains(subject.subject, 'direct message')
35  )
36  and not (
37    sender.email.domain.root_domain in ("discord.com", "discogs.com")
38    and headers.auth_summary.dmarc.pass
39  )
40  // negate highly trusted sender domains unless they fail DMARC authentication
41  and (
42    (
43      sender.email.domain.root_domain in $high_trust_sender_root_domains
44      and not headers.auth_summary.dmarc.pass
45    )
46    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47  )  
48
49attack_types:
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "Impersonation: Brand"
53  - "Social engineering"
54detection_methods:
55  - "Computer Vision"
56  - "Content analysis"
57id: "97007826-84e5-5599-8981-e30fc86c56b3"
to-top