Detection rules › Sublime MQL
Service abuse: DocSend share from an unsolicited reply-to address
DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Free file host, Social engineering |
Event coverage
| Message attribute |
|---|
| sender.email |
| type |
Rule body MQL
type.inbound
// Legitimate DocSend sending infratructure
and sender.email.email == "no-reply@docsend.com"
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to address has never sent an email to the org
and beta.profile.by_reply_to().prevalence == "new"
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
Detection logic
Scope: inbound message.
DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
- inbound message
- sender.email.email is 'no-reply@docsend.com'
- beta.profile.by_reply_to().prevalence is 'new'
not:
- beta.profile.by_reply_to().solicited
not:
- beta.profile.by_reply_to().any_messages_benign
Inspects: sender.email.email, type.inbound. Sensors: beta.profile.by_reply_to.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
sender.email.email | equals | no-reply@docsend.com |