Service Abuse: HelloSign From an Unsolicited Sender Address
Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.
Sublime rule (View on GitHub)
1name: "Service Abuse: HelloSign From an Unsolicited Sender Address"
2description: "Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and sender.email.domain.domain == "mail.hellosign.com"
8 and headers.auth_summary.spf.pass
9 and headers.auth_summary.dmarc.pass
10 and (
11 // extract the sender out of the body html template
12 (
13 // if the sender_email is available in the body
14 regex.icontains(body.html.raw,
15 '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\)]+)\).*?</th>'
16 )
17 // check that the sender email has not been observed previously
18 and all(regex.iextract(body.html.raw,
19 '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\).*?</th>'
20 ),
21 .named_groups["sender_domain"] not in $org_domains
22 and .named_groups["sender_email"] not in $recipient_emails
23 and .named_groups["sender_email"] not in $sender_emails
24 and not (
25 .named_groups["sender_domain"] not in $free_email_providers
26 and .named_groups["sender_domain"] in $recipient_domains
27 and .named_groups["sender_domain"] in $sender_domains
28 )
29 )
30 )
31
32 // extract the sender out of header hops if it's there
33 or any(headers.hops,
34 any(.fields,
35 .name == "X-Mailgun-Variables"
36 and strings.icontains(.value, 'on_behalf_of_email')
37 and all(regex.iextract(.value,
38 '\"on_behalf_of_email": \"(?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\",'
39 ),
40 .named_groups["sender_domain"] not in $org_domains
41 and .named_groups["sender_email"] not in $recipient_emails
42 and .named_groups["sender_email"] not in $sender_emails
43 and not (
44 .named_groups["sender_domain"] not in $free_email_providers
45 and .named_groups["sender_domain"] in $recipient_domains
46 and .named_groups["sender_domain"] in $sender_domains
47 )
48 )
49 )
50 )
51
52 // extract the sender from the "reply to sender" element withn the body.html.raw
53 or (
54 regex.icontains(body.html.raw,
55 '<a href="mailto:[^\?]+\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
56 )
57 and all(regex.iextract(body.html.raw,
58 '<a href="mailto:(?P<sender_email>[^\?]+@(?P<sender_domain>[^\?]+))\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
59 ),
60 .named_groups["sender_domain"] not in $org_domains
61 and .named_groups["sender_email"] not in $recipient_emails
62 and .named_groups["sender_email"] not in $sender_emails
63 and not (
64 .named_groups["sender_domain"] not in $free_email_providers
65 and .named_groups["sender_domain"] in $recipient_domains
66 and .named_groups["sender_domain"] in $sender_domains
67 )
68 )
69 )
70 )
71tags:
72 - "Attack surface reduction"
73attack_types:
74 - "Credential Phishing"
75tactics_and_techniques:
76 - "Social engineering"
77 - "Free file host"
78 - "Evasion"
79detection_methods:
80 - "HTML analysis"
81 - "Sender analysis"
82 - "Header analysis"
83id: "68ca0753-207f-56a0-9dba-3bbbad002bbf"