detection.wiki

Detection rules › Sublime MQL

Brand impersonation: DigitalOcean

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Impersonation of the cloud provider DigitalOcean.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Lookalike domain, Social engineering

Event coverage

Message attribute
sender
sender.email
type

Rule body MQL

type.inbound
and (
  sender.display_name =~ 'digitalocean'
  or strings.ilevenshtein(sender.display_name, 'digitalocean') <= 2
  or strings.ilike(sender.email.domain.domain, '*digitalocean*')
)
and sender.email.domain.root_domain not in (
  'digitalocean.com',
  'paperspace.com',
  'coupahost.com' // third party supplier used by DigitalOcean 
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

Impersonation of the cloud provider DigitalOcean.

  1. inbound message
  2. any of:
    • sender.display_name is 'digitalocean'
    • sender.display_name is similar to 'digitalocean'
    • sender.email.domain.domain matches '*digitalocean*'
  3. sender.email.domain.root_domain not in ('digitalocean.com', 'paperspace.com', 'coupahost.com')
  4. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  5. not:
    • profile.by_sender().any_messages_benign

Inspects: sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.ilevenshtein, strings.ilike.

Indicators matched (6)

FieldMatchValue
sender.display_nameequalsdigitalocean
strings.ilevenshteinfuzzydigitalocean
strings.ilikesubstring*digitalocean*
sender.email.domain.root_domainmemberdigitalocean.com
sender.email.domain.root_domainmemberpaperspace.com
sender.email.domain.root_domainmembercoupahost.com