Sublime Core Feed
Brand Impersonation: DocSend

Login to Sublime

High Severity

Brand Impersonation: DocSend

Labels

Credential Phishing

Impersonation: Brand

Lookalike domain

Social engineering

Header analysis

Sender analysis

Description

Attack impersonating DocSend.

References

https://docsend.com

Sublime Security

Created Sep 11th, 2024 • Last updated Sep 11th, 2024

Feed Source

Sublime Core Feed

Source

type.inbound
and (
  sender.display_name =~ 'DocSend'
  or strings.ilevenshtein(sender.display_name, 'DocSend') <= 1
  or strings.icontains(sender.email.domain.domain, '*docsend*')
)
and sender.email.domain.root_domain not in~ ('docsend.com')
and sender.email.email not in $recipient_emails

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.