Service Abuse: DocuSign Share From an Unsolicited Reply-To Address

calendar Nov 7, 2024 · Attack surface reduction  ·
Share on: linkedin copy

DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Sublime rule (View on GitHub)

 1name: "Service Abuse: DocuSign Share From an Unsolicited Reply-To Address"
 2description: "DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // message is from docusign actual
 9  and sender.email.domain.root_domain == 'docusign.net'
10  and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
11  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12  
13  
14  // not a completed DocuSign
15  // reminders are sent automatically and can be just as malicious as the initial
16  // users often decline malicious ones
17  and not strings.istarts_with(subject.subject, "Completed: ")
18  and not strings.istarts_with(subject.subject, "Here is your signed document: ")
19  and not strings.istarts_with(subject.subject, "Voided: ")
20  
21  and length(headers.reply_to) > 0 
22  // reply-to email address has never been sent an email by the org
23  and not (
24    any(headers.reply_to, .email.email in $recipient_emails)
25    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
26    or any(filter(headers.reply_to,
27                  // filter the list to only emails that are not in free_email_providers
28                  (
29                    .email.domain.domain not in $free_email_providers
30                    or .email.domain.root_domain not in $free_email_providers
31                  )
32           ),
33           .email.domain.domain in $recipient_domains
34    )
35  )
36  // reply-to address has never sent an email to the org
37  and not (
38    any(headers.reply_to, .email.email in $sender_emails)
39    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
40    or any(filter(headers.reply_to,
41                  // filter the list to only emails that are not in free_email_providers
42                  (
43                    .email.domain.domain not in $free_email_providers
44                    or .email.domain.domain not in $free_email_providers
45                  )
46           ),
47           .email.domain.root_domain in $sender_domains
48    )
49  )  
50tags:
51 - "Attack surface reduction"
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Evasion"
56  - "Free file host"
57  - "Social engineering"
58detection_methods:
59  - "Content analysis"
60  - "Header analysis"
61  - "Sender analysis"
62id: "2f12d616-f47a-5259-8946-ac2e01940f6f"

Related rules

to-top