Service Abuse: HelloSign Share with Suspicious Sender or Document Name

calendar May 23, 2025  ·
Share on: linkedin copy

The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.

Sublime rule (View on GitHub)

  1name: "Service Abuse: HelloSign Share with Suspicious Sender or Document Name"
  2description: "The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  
  8  // Legitimate Dropbox sending infrastructure
  9  and sender.email.email == "noreply@mail.hellosign.com"
 10  and headers.auth_summary.spf.pass
 11  and headers.auth_summary.dmarc.pass
 12  and (
 13    strings.icontains(subject.subject, ' - Signature Requested')
 14    or (
 15      strings.icontains(subject.subject, 'Reminder: ')
 16      and strings.icontains(subject.subject, 'awaiting your signature')
 17    )
 18  )
 19  and not strings.icontains(subject.subject, 'You just signed')
 20  // negate CDP Esign which reuses hellosign
 21  and not strings.contains(body.current_thread.text, '@cdpesign.com')
 22  // negate messages where the "on_behalf_of_email" is within the org_domains
 23  and not any(headers.hops,
 24              any(.fields,
 25                  .name == "X-Mailgun-Variables"
 26                  and strings.icontains(.value, 'on_behalf_of_email')
 27                  and all(regex.iextract(.value,
 28                                         '\"on_behalf_of_email": \"(?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\",'
 29                          ),
 30                          .named_groups["sender_domain"] in $org_domains
 31                  )
 32              )
 33  )
 34  // sometimes there isn't an on_behalf_of_email, so in those cases we can use the body to extract the sender
 35  and not (
 36    regex.icontains(body.html.raw,
 37                    '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\)]+)\).*?</th>'
 38    )
 39    // check that the sender email has not been observed previously
 40    and all(regex.iextract(body.html.raw,
 41                           '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\).*?</th>'
 42            ),
 43            .named_groups["sender_domain"] in $org_domains
 44    )
 45  )
 46  and (
 47    // contains the word dropbox
 48    // the subject is in the format of "<actor controlled title>(?: - Signature Requested by| is awaiting your signature) <actor controlled name>"
 49    (
 50      strings.icontains(subject.subject, 'dropbox')
 51      // negate where the sender is dropbox
 52      and not any(headers.hops,
 53                  any(.fields,
 54                      .name == "X-Mailgun-Variables"
 55                      and regex.contains(.value,
 56                                         '\"on_behalf_of_email": \"[^\"]+@dropbox.com\"'
 57                      )
 58                  )
 59      )
 60    )
 61    or strings.icontains(subject.subject, 'sharefile')
 62    or strings.icontains(subject.subject, 'helloshare')
 63  
 64    // sender names part of the subject
 65    or (
 66      // Signature Terms in the Sender Display Name
 67      strings.icontains(sender.display_name, 'Signature Requ')
 68      // Billing Accounting
 69      or regex.icontains(sender.display_name,
 70                         'Accounts? (?:Payable|Receivable)',
 71      )
 72      or strings.icontains(sender.display_name, 'Billing Support')
 73  
 74      // HR/Payroll/Legal/etc
 75      or strings.icontains(sender.display_name, 'Compliance HR')
 76      or regex.icontains(sender.display_name,
 77                         '(?:Compliance|Executive|\bHR\b|Human Resources|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Support).*(?:Department|Dept|Team|Desk)?'
 78      )
 79      or strings.icontains(sender.display_name, 'Corporate Communications')
 80      or strings.icontains(sender.display_name, 'Employee Relations')
 81      or strings.icontains(sender.display_name, 'Office Manager')
 82      or strings.icontains(sender.display_name, 'Risk Management')
 83      or regex.icontains(sender.display_name, 'Payroll Admin(?:istrator)?')
 84  
 85      // IT related
 86      or regex.icontains(sender.display_name,
 87                         'IT Support',
 88                         'Information Technology',
 89                         '(?:Network|System) Admin(?:istrator)?',
 90                         'Help Desk',
 91                         'Tech(?:nical) Support'
 92      )
 93    )
 94
 95    // NLU/Logo Detection on message from the sender/message body 
 96    or any(html.xpath(body.html,
 97                   '//table[not(@class)]/tbody/tr/th[2]/p[@class="subhead"][2]/parent::th'
 98        ).nodes,
 99        any(ml.nlu_classifier(.display_text).intents,
100            .name == "callback_scam" and .confidence == "high"
101        )
102    )
103    // callback logos
104    or any(ml.logo_detect(beta.message_screenshot()).brands,
105           .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee", "AT&T")
106    )
107
108    // filename analysis
109    // the filename is also contianed in the subject line
110    or (
111      // scanner themed
112      regex.icontains(subject.subject,
113                      'scanne[rd].*(?: - Signature Requested by| is awaiting your signature)'
114      )
115      // image theme
116      or regex.icontains(subject.subject,
117                         '_IMG_.*(?: - Signature Requested by| is awaiting your signature)',
118                         'IMG[_-](?:\d|\W)+.*(?: - Signature Requested by| is awaiting your signature)'
119      )
120      // Invoice Themes
121      or regex.icontains(subject.subject,
122                         '(INV\b|\bACH\b|Wire Confirmation|P[O0]\W+?\d+\"|P[O0](?:\W+?|\d+)|Purchase Order|Past Due|Remit(?:tance)?).*(?: - Signature Requested by| is awaiting your signature)'
123      )
124      // Payment Themes
125      or regex.icontains(subject.subject,
126                         '(?:payment.*(?:complete|confirmation|approved|recent|processing)|(complete|confirmation|approved|recent|processing).*payment).*(?: - Signature Requested by| is awaiting your signature)'
127      )
128  
129      // Payroll/HR
130      or regex.icontains(subject.subject,
131                         '(?:Payroll|Employee Pay\b|Salary|Benefit Enrollment|Payment.*Benefit|Benefit.*Update|Employee Handbook|Reimbursement Approved).*(?: - Signature Requested by| is awaiting your signature)'
132      )
133  
134      // shared files/extenstion/urgency/CTA
135      or regex.icontains(subject.subject,
136                         '(?:Urgent|Important|Immediate|Secure|Encrypt|shared|\bsent\b|protected|Validate|Final Notice|Review(?:and |& )?Sign|Download PDF).*(?: - Signature Requested by| is awaiting your signature)'
137      )
138  
139      // MFA theme
140      or regex.icontains(subject.subject,
141                         '(?:Verification Code|\bMFA\b).*(?: - Signature Requested by| is awaiting your signature)'
142      )
143    )
144  )  
145
146attack_types:
147  - "Callback Phishing"
148  - "BEC/Fraud"
149tactics_and_techniques:
150  - "Evasion"
151  - "Social engineering"
152detection_methods:
153  - "Sender analysis"
154  - "Header analysis"
155  - "Content analysis"
156id: "464d98f3-38b4-5a72-b0d5-e3a148f88025"
to-top