Service Abuse: DocuSign Share From an Unsolicited Reply-To Address
DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
Sublime rule (View on GitHub)
1name: "Service Abuse: DocuSign Share From an Unsolicited Reply-To Address"
2description: "DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // message is from docusign actual
9 and sender.email.domain.root_domain == 'docusign.net'
10 and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
11 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12
13
14 // not a completed DocuSign
15 // reminders are sent automatically and can be just as malicious as the initial
16 // users often decline malicious ones
17 and not strings.istarts_with(subject.subject, "Completed: ")
18 and not strings.istarts_with(subject.subject, "Here is your signed document: ")
19 and not strings.istarts_with(subject.subject, "Voided: ")
20
21 and length(headers.reply_to) > 0
22 // reply-to email address has never been sent an email by the org
23 and not (
24 any(headers.reply_to, .email.email in $recipient_emails)
25 // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
26 or any(filter(headers.reply_to,
27 // filter the list to only emails that are not in free_email_providers
28 (
29 .email.domain.domain not in $free_email_providers
30 or .email.domain.root_domain not in $free_email_providers
31 )
32 ),
33 .email.domain.domain in $recipient_domains
34 )
35 )
36 // reply-to address has never sent an email to the org
37 and not (
38 any(headers.reply_to, .email.email in $sender_emails)
39 // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
40 or any(filter(headers.reply_to,
41 // filter the list to only emails that are not in free_email_providers
42 (
43 .email.domain.domain not in $free_email_providers
44 or .email.domain.root_domain not in $free_email_providers
45 )
46 ),
47 .email.domain.domain in $sender_domains
48 )
49 )
50tags:
51 - "Attack surface reduction"
52attack_types:
53 - "Credential Phishing"
54tactics_and_techniques:
55 - "Evasion"
56 - "Free file host"
57 - "Social engineering"
58detection_methods:
59 - "Content analysis"
60 - "Header analysis"
61 - "Sender analysis"
62id: "2f12d616-f47a-5259-8946-ac2e01940f6f"
Related rules
- Service Abuse: Google Drive Share From an Unsolicited Reply-To Address
- Service Abuse: DocSend Share From Newly Registered Domain
- Attachment: OLE external relationship containing file scheme link to executable filetype
- Service Abuse: QuickBooks Notification From New Domain
- Free subdomain link with credential theft indicators