High Severity

Brand impersonation: DocSend

Labels

Credential Phishing

Impersonation: Brand

Description

Attack impersonating DocSend.

References

https://docsend.com

Sublime Security

Created Sep 11th, 2024 • Last updated Mar 18th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  (
    sender.display_name =~ 'DocSend'
    or strings.ilevenshtein(sender.display_name, 'DocSend') <= 1
    or strings.icontains(sender.email.domain.domain, '*docsend*')
    or regex.icontains(body.current_thread.text, 'on Dropbox\s*(?:Doc)?\s*Send')
    or regex.icontains(body.current_thread.text,
                       'The Dropbox\s*(?:Doc)?\s*Send Team'
    )
    or regex.icontains(body.current_thread.text,
                       'Report to Dropbox\s*(?:Doc)?\s*Send'
    )
    or regex.icontains(body.current_thread.text,
                       '©\s*20[0-9]{2}\s*,\s*Dropbox DocSend'
    )
    or any(ml.nlu_classifier(body.current_thread.text).entities,
           .name in ("sender", "org")
           and strings.icontains(.text, 'Dropbox DocSend')
    )
  )
)
and not (
  sender.email.domain.root_domain in~ ('docsend.com')
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not profile.by_sender_email().solicited

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.