← Back to Explore
sublimehighRule
Service abuse: DocSend share from newly registered domain
This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.
Detection Query
type.inbound
// Legitimate DocSend sending infratructure
and sender.email.email == "no-reply@docsend.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
// the message needs to have a reply-to address
and length(headers.reply_to) > 0
// reply-to email address has never received an email from your org
and not any(headers.reply_to, .email.email in $recipient_emails)
// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Service abuse: DocSend share from newly registered domain"
description: "This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains."
type: "rule"
severity: "high"
source: |
type.inbound
// Legitimate DocSend sending infratructure
and sender.email.email == "no-reply@docsend.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
// the message needs to have a reply-to address
and length(headers.reply_to) > 0
// reply-to email address has never received an email from your org
and not any(headers.reply_to, .email.email in $recipient_emails)
// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free file host"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "3bc152f2-6722-57be-b924-055c35fa1e60"