Create abuse_docsend_new_domain.yml (#2164)

Co-authored-by: ID Generator <[email protected]> Co-authored-by: Aiden Mitchell <[email protected]>
sublime-security · Dec 18, 2024 · 6eda67a · 6eda67a
1 parent 099d327
commit 6eda67a
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/detection-rules/abuse_docsend_new_domain.yml b/detection-rules/abuse_docsend_new_domain.yml
@@ -0,0 +1,37 @@
+name: "Service Abuse: DocSend Share From Newly Registered Domain"
+description: "This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  
+  // Legitimate DocSend sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+
+  // the message needs to have a reply-to address
+  and length(headers.reply_to) > 0
+  
+  // reply-to email address has never received an email from your org
+  and not any(headers.reply_to, .email.email in $recipient_emails)
+  
+  // new reply-to
+  and any(headers.reply_to,
+          network.whois(.email.domain).days_old < 30
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free file host"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "3bc152f2-6722-57be-b924-055c35fa1e60"