Service Abuse: DocuSign Notification with Suspicious Sender or Document Name
The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.
Sublime rule (View on GitHub)
1name: "Service Abuse: DocuSign Notification with Suspicious Sender or Document Name"
2description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8
9 // Legitimate Docusign sending infratructure
10 and sender.email.domain.root_domain == 'docusign.net'
11 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12 and length(headers.reply_to) > 0
13 and not any(headers.reply_to,
14 .email.domain.domain in $org_domains
15 or .email.domain.root_domain in $high_trust_sender_root_domains
16 or .email.domain.root_domain in ("docusign.net", "docusign.com")
17 )
18
19 and length(headers.reply_to) > 0
20 // reply-to email address has never been sent an email by the org
21 and not (
22 any(headers.reply_to, .email.email in $recipient_emails)
23 // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
24 or any(filter(headers.reply_to,
25 // filter the list to only emails that are not in free_email_providers
26 (
27 .email.domain.domain not in $free_email_providers
28 or .email.domain.root_domain not in $free_email_providers
29 )
30 ),
31 .email.domain.domain in $recipient_domains
32 )
33 )
34 // reply-to address has never sent an email to the org
35 and not (
36 any(headers.reply_to, .email.email in $sender_emails)
37 // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
38 or any(filter(headers.reply_to,
39 // filter the list to only emails that are not in free_email_providers
40 (
41 .email.domain.domain not in $free_email_providers
42 or .email.domain.domain not in $free_email_providers
43 )
44 ),
45 .email.domain.domain in $sender_domains
46 )
47 )
48
49 // not a completed DocuSign
50 // reminders are sent automatically and can be just as malicious as the initial
51 // users often decline malicious ones
52 and not strings.istarts_with(subject.subject, "Completed: ")
53 and not strings.istarts_with(subject.subject, "Here is your signed document: ")
54 and not strings.istarts_with(subject.subject, "Voided: ")
55 and (
56 // contains the word docusign before the `via Docusign` part
57 regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
58 or strings.icontains(subject.subject, 'sharefile')
59 or strings.icontains(subject.subject, 'helloshare')
60
61 // sender names part of the subject
62 or (
63 // Billing Accounting
64 regex.icontains(sender.display_name,
65 'Accounts? (?:Payable|Receivable).*via Docusign$',
66 'Billing Support.*via Docusign$'
67 )
68
69 // HR/Payroll/Legal/etc
70 or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
71 or regex.icontains(sender.display_name,
72 '(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
73 )
74 or regex.icontains(sender.display_name,
75 'Corporate Communications.*via Docusign$'
76 )
77 or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
78 or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
79 or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
80 or regex.icontains(sender.display_name,
81 'Payroll Admin(?:istrator).*via Docusign$'
82 )
83
84 // IT related
85 or regex.icontains(sender.display_name,
86 'IT Support.*via Docusign$',
87 'Information Technology.*via Docusign$',
88 '(?:Network|System)? Admin(?:istrator).*via Docusign$',
89 'Help Desk.*via Docusign$',
90 'Tech(?:nical) Support.*via Docusign$'
91 )
92 )
93 // filename analysis
94 // the filename is also contained in the subject line
95 or (
96 // scanner themed
97 regex.icontains(subject.subject, 'scanne[rd]')
98 // image theme
99 or regex.icontains(subject.subject, '_IMG_')
100 or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')
101
102 // Invoice Themes
103 or regex.icontains(subject.subject, 'Invoice')
104 or regex.icontains(subject.subject, 'INV\b')
105 or regex.icontains(subject.subject, 'Payment')
106 or regex.icontains(subject.subject, '\bACH\b')
107 or regex.icontains(subject.subject, 'Wire Confirmation')
108 or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
109 or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
110 or regex.icontains(subject.subject, 'receipt')
111 or regex.icontains(subject.subject, 'Billing')
112 or regex.icontains(subject.subject, 'statement')
113 or regex.icontains(subject.subject, 'Past Due')
114 or regex.icontains(subject.subject, 'Remit(?:tance)?')
115 or regex.icontains(subject.subject, 'Purchase Order')
116 or regex.icontains(subject.subject, 'Settlementt')
117
118 // contract language
119 or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
120 or regex.icontains(subject.subject, 'Claim Doc')
121
122 // Payroll/HR
123 or regex.icontains(subject.subject, 'Payroll')
124 or regex.icontains(subject.subject, 'Employee Pay\b')
125 or regex.icontains(subject.subject, 'Salary')
126 or regex.icontains(subject.subject, 'Benefit Enrollment')
127 or regex.icontains(subject.subject, 'Employee Handbook')
128 or regex.icontains(subject.subject, 'Reimbursement Approved')
129
130 //
131 // shared files/extenstion/urgency/CTA
132 or regex.icontains(subject.subject, 'Urgent')
133 or regex.icontains(subject.subject, 'Important')
134 or regex.icontains(subject.subject, 'Secure')
135 or regex.icontains(subject.subject, 'Encrypt')
136 or regex.icontains(subject.subject, 'shared')
137 or regex.icontains(subject.subject, 'protected')
138 or regex.icontains(subject.subject, 'Validate')
139 or regex.icontains(subject.subject, 'Action Required')
140 or regex.icontains(subject.subject, 'Final Notice')
141 or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
142 or regex.icontains(subject.subject, 'Download PDF')
143
144 // MFA theme
145 or regex.icontains(subject.subject, 'Verification Code')
146 or regex.icontains(subject.subject, '\bMFA\b')
147 )
148 )
149attack_types:
150 - "Callback Phishing"
151 - "BEC/Fraud"
152tactics_and_techniques:
153 - "Evasion"
154 - "Social engineering"
155detection_methods:
156 - "Sender analysis"
157 - "Header analysis"
158 - "Content analysis"
159id: "5e4707cd-1953-5fe2-9a62-34e3026f0336"