Service Abuse: DocuSign Notification with Suspicious Sender or Document Name

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

Sublime rule (View on GitHub)

  1name: "Service Abuse: DocuSign Notification with Suspicious Sender or Document Name"
  2description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(attachments) == 0
  8  
  9  // Legitimate Docusign sending infratructure
 10  and sender.email.domain.root_domain == 'docusign.net'
 11  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
 12  and length(headers.reply_to) > 0
 13  and not any(headers.reply_to,
 14              .email.domain.domain in $org_domains
 15              or .email.domain.root_domain in $high_trust_sender_root_domains
 16              or .email.domain.root_domain in ("docusign.net", "docusign.com")
 17  )
 18  
 19    and length(headers.reply_to) > 0 
 20    // reply-to email address has never been sent an email by the org
 21    and not (
 22      any(headers.reply_to, .email.email in $recipient_emails)
 23      // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
 24      or any(filter(headers.reply_to,
 25                    // filter the list to only emails that are not in free_email_providers
 26                    (
 27                      .email.domain.domain not in $free_email_providers
 28                      or .email.domain.root_domain not in $free_email_providers
 29                    )
 30             ),
 31             .email.domain.domain in $recipient_domains
 32      )
 33    )
 34    // reply-to address has never sent an email to the org
 35    and not (
 36      any(headers.reply_to, .email.email in $sender_emails)
 37      // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
 38      or any(filter(headers.reply_to,
 39                    // filter the list to only emails that are not in free_email_providers
 40                    (
 41                      .email.domain.domain not in $free_email_providers
 42                      or .email.domain.domain not in $free_email_providers
 43                    )
 44             ),
 45             .email.domain.domain in $sender_domains
 46      )
 47    )
 48  
 49  // not a completed DocuSign
 50  // reminders are sent automatically and can be just as malicious as the initial
 51  // users often decline malicious ones
 52  and not strings.istarts_with(subject.subject, "Completed: ")
 53  and not strings.istarts_with(subject.subject, "Here is your signed document: ")
 54  and not strings.istarts_with(subject.subject, "Voided: ")
 55  and (
 56    // contains the word docusign before the `via Docusign` part
 57    regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
 58    or strings.icontains(subject.subject, 'sharefile')
 59    or strings.icontains(subject.subject, 'helloshare')
 60  
 61    // sender names part of the subject
 62    or (
 63      // Billing Accounting
 64      regex.icontains(sender.display_name,
 65                      'Accounts? (?:Payable|Receivable).*via Docusign$',
 66                      'Billing Support.*via Docusign$'
 67      )
 68  
 69      // HR/Payroll/Legal/etc
 70      or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
 71      or regex.icontains(sender.display_name,
 72                         '(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
 73      )
 74      or regex.icontains(sender.display_name,
 75                         'Corporate Communications.*via Docusign$'
 76      )
 77      or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
 78      or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
 79      or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
 80      or regex.icontains(sender.display_name,
 81                         'Payroll Admin(?:istrator).*via Docusign$'
 82      )
 83  
 84      // IT related
 85      or regex.icontains(sender.display_name,
 86                         'IT Support.*via Docusign$',
 87                         'Information Technology.*via Docusign$',
 88                         '(?:Network|System)? Admin(?:istrator).*via Docusign$',
 89                         'Help Desk.*via Docusign$',
 90                         'Tech(?:nical) Support.*via Docusign$'
 91      )
 92    )
 93    // filename analysis
 94    // the filename is also contained in the subject line
 95    or (
 96      // scanner themed
 97      regex.icontains(subject.subject, 'scanne[rd]')
 98      // image theme
 99      or regex.icontains(subject.subject, '_IMG_')
100      or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')
101  
102      // Invoice Themes
103      or regex.icontains(subject.subject, 'Invoice')
104      or regex.icontains(subject.subject, 'INV\b')
105      or regex.icontains(subject.subject, 'Payment')
106      or regex.icontains(subject.subject, '\bACH\b')
107      or regex.icontains(subject.subject, 'Wire Confirmation')
108      or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
109      or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
110      or regex.icontains(subject.subject, 'receipt')
111      or regex.icontains(subject.subject, 'Billing')
112      or regex.icontains(subject.subject, 'statement')
113      or regex.icontains(subject.subject, 'Past Due')
114      or regex.icontains(subject.subject, 'Remit(?:tance)?')
115      or regex.icontains(subject.subject, 'Purchase Order')
116      or regex.icontains(subject.subject, 'Settlementt')
117  
118      // contract language
119      or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
120      or regex.icontains(subject.subject, 'Claim Doc')
121  
122      // Payroll/HR
123      or regex.icontains(subject.subject, 'Payroll')
124      or regex.icontains(subject.subject, 'Employee Pay\b')
125      or regex.icontains(subject.subject, 'Salary')
126      or regex.icontains(subject.subject, 'Benefit Enrollment')
127      or regex.icontains(subject.subject, 'Employee Handbook')
128      or regex.icontains(subject.subject, 'Reimbursement Approved')
129  
130      // 
131      // shared files/extenstion/urgency/CTA
132      or regex.icontains(subject.subject, 'Urgent')
133      or regex.icontains(subject.subject, 'Important')
134      or regex.icontains(subject.subject, 'Secure')
135      or regex.icontains(subject.subject, 'Encrypt')
136      or regex.icontains(subject.subject, 'shared')
137      or regex.icontains(subject.subject, 'protected')
138      or regex.icontains(subject.subject, 'Validate')
139      or regex.icontains(subject.subject, 'Action Required')
140      or regex.icontains(subject.subject, 'Final Notice')
141      or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
142      or regex.icontains(subject.subject, 'Download PDF')
143  
144      // MFA theme
145      or regex.icontains(subject.subject, 'Verification Code')
146      or regex.icontains(subject.subject, '\bMFA\b')
147    )
148  )  
149attack_types:
150  - "Callback Phishing"
151  - "BEC/Fraud"
152tactics_and_techniques:
153  - "Evasion"
154  - "Social engineering"
155detection_methods:
156  - "Sender analysis"
157  - "Header analysis"
158  - "Content analysis"
159id: "5e4707cd-1953-5fe2-9a62-34e3026f0336"
to-top