Service Abuse: DocuSign Notification with Suspicious Sender or Document Name

calendar Apr 11, 2025  ·
Share on: linkedin copy

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

Sublime rule (View on GitHub)

  1name: "Service Abuse: DocuSign Notification with Suspicious Sender or Document Name"
  2description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(attachments) == 0
  8  
  9  // Legitimate Docusign sending infratructure
 10  and sender.email.domain.root_domain == 'docusign.net'
 11  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
 12  and length(headers.reply_to) > 0
 13  and not any(headers.reply_to,
 14              .email.domain.domain in $org_domains
 15              or .email.domain.root_domain in $high_trust_sender_root_domains
 16              or .email.domain.root_domain in ("docusign.net", "docusign.com")
 17  )
 18  // 
 19  // This rule makes use of a beta feature and is subject to change without notice
 20  // using the beta feature in custom rules is not suggested until it has been formally released
 21  // 
 22  
 23  // reply-to address has never sent an email to the org
 24  and beta.profile.by_reply_to().prevalence == "new"
 25  
 26  // reply-to email address has never been sent an email by the org
 27  and not beta.profile.by_reply_to().solicited
 28  
 29  // do not match if the reply_to address has been observed as a reply_to address
 30  // of a message that has been classified as benign
 31  and not beta.profile.by_reply_to().any_messages_benign
 32  
 33  // not a completed DocuSign
 34  // reminders are sent automatically and can be just as malicious as the initial
 35  // users often decline malicious ones
 36  and not strings.istarts_with(subject.subject, "Completed: ")
 37  and not strings.istarts_with(subject.subject, "Here is your signed document: ")
 38  and not strings.istarts_with(subject.subject, "Voided: ")
 39  and (
 40    // contains the word docusign before the `via Docusign` part
 41    regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
 42    or strings.icontains(subject.subject, 'sharefile')
 43    or strings.icontains(subject.subject, 'helloshare')
 44  
 45    // sender names part of the subject
 46    or (
 47      // Billing Accounting
 48      regex.icontains(sender.display_name,
 49                      'Accounts? (?:Payable|Receivable).*via Docusign$',
 50                      'Billing Support.*via Docusign$'
 51      )
 52  
 53      // HR/Payroll/Legal/etc
 54      or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
 55      or regex.icontains(sender.display_name,
 56                         '(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
 57      )
 58      or regex.icontains(sender.display_name,
 59                         'Corporate Communications.*via Docusign$'
 60      )
 61      or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
 62      or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
 63      or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
 64      or regex.icontains(sender.display_name,
 65                         'Payroll Admin(?:istrator).*via Docusign$'
 66      )
 67  
 68      // IT related
 69      or regex.icontains(sender.display_name,
 70                         'IT Support.*via Docusign$',
 71                         'Information Technology.*via Docusign$',
 72                         '(?:Network|System)? Admin(?:istrator).*via Docusign$',
 73                         'Help Desk.*via Docusign$',
 74                         'Tech(?:nical) Support.*via Docusign$'
 75      )
 76    )
 77    // filename analysis
 78    // the filename is also contained in the subject line
 79    or (
 80      // scanner themed
 81      regex.icontains(subject.subject, 'scanne[rd]')
 82      // image theme
 83      or regex.icontains(subject.subject, '_IMG_')
 84      or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')
 85  
 86      // Invoice Themes
 87      or regex.icontains(subject.subject, 'Invoice')
 88      or regex.icontains(subject.subject, 'INV\b')
 89      or regex.icontains(subject.subject, 'Payment')
 90      or regex.icontains(subject.subject, '\bACH\b')
 91      or regex.icontains(subject.subject, 'Wire Confirmation')
 92      or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
 93      or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
 94      or regex.icontains(subject.subject, 'receipt')
 95      or regex.icontains(subject.subject, 'Billing')
 96      or regex.icontains(subject.subject, 'statement')
 97      or regex.icontains(subject.subject, 'Past Due')
 98      or regex.icontains(subject.subject, 'Remit(?:tance)?')
 99      or regex.icontains(subject.subject, 'Purchase Order')
100      or regex.icontains(subject.subject, 'Settlementt')
101  
102      // contract language
103      or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
104      or regex.icontains(subject.subject, 'Claim Doc')
105  
106      // Payroll/HR
107      or regex.icontains(subject.subject, 'Payroll')
108      or regex.icontains(subject.subject, 'Employee Pay\b')
109      or regex.icontains(subject.subject, 'Salary')
110      or regex.icontains(subject.subject, 'Benefit Enrollment')
111      or regex.icontains(subject.subject, 'Employee Handbook')
112      or regex.icontains(subject.subject, 'Reimbursement Approved')
113  
114      // 
115      // shared files/extenstion/urgency/CTA
116      or regex.icontains(subject.subject, 'Urgent')
117      or regex.icontains(subject.subject, 'Important')
118      or regex.icontains(subject.subject, 'Secure')
119      or regex.icontains(subject.subject, 'Encrypt')
120      or regex.icontains(subject.subject, 'shared')
121      or regex.icontains(subject.subject, 'protected')
122      or regex.icontains(subject.subject, 'Validate')
123      or regex.icontains(subject.subject, 'Action Required')
124      or regex.icontains(subject.subject, 'Final Notice')
125      or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
126      or regex.icontains(subject.subject, 'Download PDF')
127  
128      // MFA theme
129      or regex.icontains(subject.subject, 'Verification Code')
130      or regex.icontains(subject.subject, '\bMFA\b')
131    )
132  )  
133
134attack_types:
135  - "Callback Phishing"
136  - "BEC/Fraud"
137tactics_and_techniques:
138  - "Evasion"
139  - "Social engineering"
140detection_methods:
141  - "Sender analysis"
142  - "Header analysis"
143  - "Content analysis"
144id: "5e4707cd-1953-5fe2-9a62-34e3026f0336"
to-top