Detection rules › Sublime MQL
Brand impersonation: DoorDash
Impersonation of the online food ordering and food delivery platform, DoorDash
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
strings.ilike(sender.display_name, '*doordash*')
or strings.ilevenshtein(sender.display_name, 'doordash') <= 1
or strings.ilike(sender.email.domain.domain, '*doordash*')
)
and (
sender.email.domain.root_domain not in~ (
'doordash.com',
'cdn4dd.com',
'doordash.team'
)
and sender.email.domain.domain not in~ (
'ws-doordash.sendbird.com',
'qemailserver.com',
'sent-via.netsuite.com'
)
)
and 0 < length(body.links) < 10
and not all(body.links,
.href_url.domain.root_domain in (
'doordash.com',
'cdn4dd.com',
'doordash.team'
)
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Impersonation of the online food ordering and food delivery platform, DoorDash
- inbound message
any of:
- sender.display_name matches '*doordash*'
- sender.display_name is similar to 'doordash'
- sender.email.domain.domain matches '*doordash*'
all of:
- sender.email.domain.root_domain not in ('doordash.com', 'cdn4dd.com', 'doordash.team')
- sender.email.domain.domain not in ('ws-doordash.sendbird.com', 'qemailserver.com', 'sent-via.netsuite.com')
all of:
- length(body.links) > 0
- length(body.links) < 10
not:
all of
body.linkswhere:- .href_url.domain.root_domain in ('doordash.com', 'cdn4dd.com', 'doordash.team')
any of:
not:
- profile.by_sender().solicited
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.links, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.ilevenshtein, strings.ilike. Reference lists: $high_trust_sender_root_domains.
Indicators matched (11)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *doordash* |
strings.ilevenshtein | fuzzy | doordash |
sender.email.domain.root_domain | member | doordash.com |
sender.email.domain.root_domain | member | cdn4dd.com |
sender.email.domain.root_domain | member | doordash.team |
sender.email.domain.domain | member | ws-doordash.sendbird.com |
sender.email.domain.domain | member | qemailserver.com |
sender.email.domain.domain | member | sent-via.netsuite.com |
body.links[].href_url.domain.root_domain | member | doordash.com |
body.links[].href_url.domain.root_domain | member | cdn4dd.com |
body.links[].href_url.domain.root_domain | member | doordash.team |