Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| headers.auth_summary |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
(
sender.display_name =~ 'DocSend'
or strings.ilevenshtein(sender.display_name, 'DocSend') <= 1
or strings.icontains(sender.email.domain.domain, '*docsend*')
or regex.icontains(body.current_thread.text, 'on Dropbox\s*(?:Doc)?\s*Send')
or regex.icontains(body.current_thread.text,
'The Dropbox\s*(?:Doc)?\s*Send Team'
)
or regex.icontains(body.current_thread.text,
'Report to Dropbox\s*(?:Doc)?\s*Send'
)
or regex.icontains(body.current_thread.text,
'©\s*20[0-9]{2}\s*,\s*Dropbox DocSend'
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("sender", "org")
and strings.icontains(.text, 'Dropbox DocSend')
)
)
)
and not (
sender.email.domain.root_domain in~ ('docsend.com')
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not profile.by_sender_email().solicited
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Attack impersonating DocSend.
- inbound message
any of:
- sender.display_name is 'DocSend'
- sender.display_name is similar to 'DocSend'
- sender.email.domain.domain contains '*docsend*'
- body.current_thread.text matches 'on Dropbox\\s*(?:Doc)?\\s*Send'
- body.current_thread.text matches 'The Dropbox\\s*(?:Doc)?\\s*Send Team'
- body.current_thread.text matches 'Report to Dropbox\\s*(?:Doc)?\\s*Send'
- body.current_thread.text matches '©\\s*20[0-9]{2}\\s*,\\s*Dropbox DocSend'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name in ('sender', 'org')
- .text contains 'Dropbox DocSend'
not:
all of:
- sender.email.domain.root_domain in ('docsend.com')
- coalesce(headers.auth_summary.dmarc.pass)
not:
- profile.by_sender_email().solicited
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender_email, regex.icontains, strings.icontains, strings.ilevenshtein. Reference lists: $high_trust_sender_root_domains.
Indicators matched (11)
| Field | Match | Value |
|---|---|---|
sender.display_name | equals | DocSend |
strings.ilevenshtein | fuzzy | DocSend |
strings.icontains | substring | *docsend* |
regex.icontains | regex | on Dropbox\s*(?:Doc)?\s*Send |
regex.icontains | regex | The Dropbox\s*(?:Doc)?\s*Send Team |
regex.icontains | regex | Report to Dropbox\s*(?:Doc)?\s*Send |
regex.icontains | regex | ©\s*20[0-9]{2}\s*,\s*Dropbox DocSend |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | sender |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | org |
strings.icontains | substring | Dropbox DocSend |
sender.email.domain.root_domain | member | docsend.com |