Brand impersonation: DoorDash

name: "Brand impersonation: DoorDash"
description: "Impersonation of the online food ordering and food delivery platform, DoorDash"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    strings.ilike(sender.display_name, '*doordash*')
    or strings.ilevenshtein(sender.display_name, 'doordash') <= 1
    or strings.ilike(sender.email.domain.domain, '*doordash*')
  )
  and (
    sender.email.domain.root_domain not in~ (
      'doordash.com',
      'cdn4dd.com',
      'doordash.team'
    )
    and sender.email.domain.domain not in~ (
      'ws-doordash.sendbird.com',
      'qemailserver.com',
      'sent-via.netsuite.com'
    )
  )
  and 0 < length(body.links) < 10
  and not all(body.links,
              .href_url.domain.root_domain in (
                'doordash.com',
                'cdn4dd.com',
                'doordash.team'
              )
  )
  and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )
  and not profile.by_sender().any_messages_benign
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "b0aaaed5-d437-599e-b884-96dddb9980a2"