← Back to Explore
sublimemediumRule
Brand impersonation: Discord notification
Detects inbound messages that impersonate Discord's notification system through display name spoofing, domain lookalikes, or logo usage in attachments. The messages contain typical Discord-style notification language in the subject line while failing authentication checks.
Detection Query
type.inbound
and (
strings.ilike(sender.display_name, '*discord*')
or (
strings.ilevenshtein(sender.display_name, 'discord') <= 2
and sender.display_name not in~ ("discogs")
)
or strings.ilike(sender.email.domain.domain, '*discord*')
// Discord logo detection in image attachments
or any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands,
.name == "Discord" and .confidence != "low"
)
)
// Discord logo detection in message screenshot
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Discord" and .confidence != "low"
)
)
and (
strings.icontains(subject.subject, 'you have received a new notification')
or regex.icontains(subject.subject,
'(?:(?:new|unread|missed|pending|discord)\s+)?(?:message|notification|alert|activity|call) (?:from|waiting|pending)',
)
or strings.icontains(subject.subject, 'friend request')
or strings.icontains(subject.subject, 'server invitation')
or strings.icontains(subject.subject, 'mentioned you')
or strings.icontains(subject.subject, 'direct message')
)
and not (
sender.email.domain.root_domain in ("discord.com", "discogs.com")
and headers.auth_summary.dmarc.pass
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Discord notification"
description: "Detects inbound messages that impersonate Discord's notification system through display name spoofing, domain lookalikes, or logo usage in attachments. The messages contain typical Discord-style notification language in the subject line while failing authentication checks."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
strings.ilike(sender.display_name, '*discord*')
or (
strings.ilevenshtein(sender.display_name, 'discord') <= 2
and sender.display_name not in~ ("discogs")
)
or strings.ilike(sender.email.domain.domain, '*discord*')
// Discord logo detection in image attachments
or any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands,
.name == "Discord" and .confidence != "low"
)
)
// Discord logo detection in message screenshot
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Discord" and .confidence != "low"
)
)
and (
strings.icontains(subject.subject, 'you have received a new notification')
or regex.icontains(subject.subject,
'(?:(?:new|unread|missed|pending|discord)\s+)?(?:message|notification|alert|activity|call) (?:from|waiting|pending)',
)
or strings.icontains(subject.subject, 'friend request')
or strings.icontains(subject.subject, 'server invitation')
or strings.icontains(subject.subject, 'mentioned you')
or strings.icontains(subject.subject, 'direct message')
)
and not (
sender.email.domain.root_domain in ("discord.com", "discogs.com")
and headers.auth_summary.dmarc.pass
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
id: "97007826-84e5-5599-8981-e30fc86c56b3"