Service Abuse: HelloSign Share with Suspicious Sender or Document Name
The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.
Sublime rule (View on GitHub)
1name: "Service Abuse: HelloSign Share with Suspicious Sender or Document Name"
2description: "The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Legitimate Dropbox sending infrastructure
9 and sender.email.email == "noreply@mail.hellosign.com"
10 and headers.auth_summary.spf.pass
11 and headers.auth_summary.dmarc.pass
12 and strings.ends_with(headers.auth_summary.spf.details.designator,
13 '.hellosign.com'
14 )
15 and strings.icontains(subject.subject, ' - Signature Requested')
16 and not strings.icontains(subject.subject, 'You just signed')
17 and not strings.contains(body.current_thread.text, '@cdpesign.com') // negate CDP Esign which reuses hellosign
18 // negate messages where the "on_behalf_of_email" is within the org_domains
19 and not any(headers.hops,
20 any(.fields,
21 .name == "X-Mailgun-Variables"
22 and any($org_domains,
23 // we're not able to do an exact match because the sender email
24 // is dynamic in nature
25 // but the "on_behalf_of_email" is always before "on_behalf_of_guid"
26 strings.icontains(..value,
27 strings.concat("@", ., "\", \"on_behalf_of_guid")
28 )
29 )
30 )
31 )
32 and (
33 // contains the word dropbox
34 // the subject is in the format of "<actor controlled title> - Signature Requested by <actor controlled name>"
35 strings.icontains(subject.subject, 'dropbox')
36 or strings.icontains(subject.subject, 'sharefile')
37 or strings.icontains(subject.subject, 'helloshare')
38
39 // sender names part of the subject
40 or (
41 // Billing Accounting
42 regex.icontains(subject.subject,
43 ' - Signature Requested by .*Accounts? (?:Payable|Receivable)',
44 ' - Signature Requested by .*Billing Support'
45 )
46
47 // HR/Payroll/Legal/etc
48 or regex.icontains(subject.subject,
49 ' - Signature Requested by .*Compliance HR'
50 )
51 or regex.icontains(subject.subject,
52 ' - Signature Requested by .*(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?'
53 )
54 or regex.icontains(subject.subject,
55 ' - Signature Requested by .*Corporate Communications'
56 )
57 or regex.icontains(subject.subject,
58 ' - Signature Requested by .*Employee Relations'
59 )
60 or regex.icontains(subject.subject,
61 ' - Signature Requested by .*Office Manager'
62 )
63 or regex.icontains(subject.subject,
64 ' - Signature Requested by .*Risk Management'
65 )
66 or regex.icontains(subject.subject,
67 ' - Signature Requested by .*Payroll Admin(?:istrator)'
68 )
69
70 // IT related
71 or regex.icontains(subject.subject,
72 ' - Signature Requested by .*IT Support',
73 ' - Signature Requested by .*Information Technology',
74 ' - Signature Requested by .*(?:Network|System)? Admin(?:istrator)',
75 ' - Signature Requested by .*Help Desk',
76 ' - Signature Requested by .*Tech(?:nical) Support'
77 )
78
79 )
80 // filename analysis
81 // the filename is also contianed in the subject line
82 or (
83 // scanner themed
84 regex.icontains(subject.subject, 'scanne[rd].* - Signature Requested by')
85 // image theme
86 or regex.icontains(subject.subject, '_IMG_.* - Signature Requested by')
87 or regex.icontains(subject.subject,
88 'IMG[_-](?:\d|\W)+.* - Signature Requested by'
89 )
90
91
92 // Invoice Themes
93 or regex.icontains(subject.subject, 'Invoice.* - Signature Requested by')
94 or regex.icontains(subject.subject, 'INV\b.* - Signature Requested by')
95 or regex.icontains(subject.subject, 'Payment.* - Signature Requested by')
96 or regex.icontains(subject.subject, 'ACH.* - Signature Requested by')
97 or regex.icontains(subject.subject,
98 'Wire Confirmation.* - Signature Requested by'
99 )
100 or regex.icontains(subject.subject,
101 'P[O0]\W+?\d+\".* - Signature Requested by'
102 )
103 or regex.icontains(subject.subject,
104 'P[O0](?:\W+?|\d+).* - Signature Requested by'
105 )
106 or regex.icontains(subject.subject, 'receipt.* - Signature Requested by')
107 or regex.icontains(subject.subject, 'Billing.* - Signature Requested by')
108 or regex.icontains(subject.subject, 'statement.* - Signature Requested by')
109 or regex.icontains(subject.subject, 'Past Due.* - Signature Requested by')
110 or regex.icontains(subject.subject,
111 'Remit(?:tance)?.* - Signature Requested by'
112 )
113 or regex.icontains(subject.subject,
114 'Purchase Order.* - Signature Requested by'
115 )
116 or regex.icontains(subject.subject, 'Settlement.* - Signature Requested by')
117
118 // contract language
119 or regex.icontains(subject.subject,
120 'Pr[0o]p[0o]sal.* - Signature Requested by'
121 )
122
123 or regex.icontains(subject.subject, 'Claim Doc.* - Signature Requested by')
124
125 // Payroll/HR
126 or regex.icontains(subject.subject, 'Payroll.* - Signature Requested by')
127 or regex.icontains(subject.subject,
128 'Employee Pay\b.* - Signature Requested by'
129 )
130 or regex.icontains(subject.subject, 'Salary.* - Signature Requested by')
131 or regex.icontains(subject.subject,
132 'Benefit Enrollment.* - Signature Requested by'
133 )
134 or regex.icontains(subject.subject, 'Employee Handbook.* - Signature Requested by'
135 )
136 or regex.icontains(subject.subject, 'Reimbursement Approved.* - Signature Requested by'
137 )
138
139 // shared files/extenstion/urgency/CTA
140 or regex.icontains(subject.subject, 'Urgent.* - Signature Requested by')
141 or regex.icontains(subject.subject, 'Important.* - Signature Requested by')
142 or regex.icontains(subject.subject, 'Secure.* - Signature Requested by')
143 or regex.icontains(subject.subject, 'Encrypt.* - Signature Requested by')
144 or regex.icontains(subject.subject, 'shared.* - Signature Requested by')
145 or regex.icontains(subject.subject, 'protected.* - Signature Requested by')
146 or regex.icontains(subject.subject, 'Validate.* - Signature Requested by')
147 or regex.icontains(subject.subject, 'Action Required.* - Signature Requested by')
148 or regex.icontains(subject.subject, 'Final Notice.* - Signature Requested by')
149 or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign.* - Signature Requested by')
150 or regex.icontains(subject.subject, 'Download PDF.* - Signature Requested by'
151 )
152
153 // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion
154 or regex.contains(subject.subject,
155 '[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5}).* - Signature Requested by'
156 )
157 or regex.icontains(subject.subject,
158 '.*(?:shared|sent).* - Signature Requested by'
159 )
160
161 // MFA theme
162 or regex.icontains(subject.subject,
163 'Verification Code.* - Signature Requested by'
164 )
165 or regex.icontains(subject.subject, '\bMFA\b.* - Signature Requested by')
166 )
167 )
168attack_types:
169 - "Callback Phishing"
170 - "BEC/Fraud"
171tactics_and_techniques:
172 - "Evasion"
173 - "Social engineering"
174detection_methods:
175 - "Sender analysis"
176 - "Header analysis"
177 - "Content analysis"
178id: "464d98f3-38b4-5a72-b0d5-e3a148f88025"