Detection rules › Sublime MQL
Service abuse: DocSend share from newly registered domain
This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Credential Phishing |
| Tactics and techniques | Evasion, Free file host, Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
// Legitimate DocSend sending infratructure
and sender.email.email == "no-reply@docsend.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
// the message needs to have a reply-to address
and length(headers.reply_to) > 0
// reply-to email address has never received an email from your org
and not any(headers.reply_to, .email.email in $recipient_emails)
// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
Detection logic
Scope: inbound message.
This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.
- inbound message
- sender.email.email is 'no-reply@docsend.com'
- headers.auth_summary.spf.pass
- headers.auth_summary.dmarc.pass
- length(headers.reply_to) > 0
not:
any of
headers.reply_towhere:- .email.email in $recipient_emails
any of
headers.reply_towhere:- network.whois(.email.domain).days_old < 30
Inspects: headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.reply_to, headers.reply_to[].email.domain, headers.reply_to[].email.email, sender.email.email, type.inbound. Sensors: network.whois. Reference lists: $recipient_emails.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
sender.email.email | equals | no-reply@docsend.com |