Brand impersonation: DocuSign (QR code)
Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DocuSign (QR code)"
2description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (.file_type in $file_types_images or .file_type == "pdf")
9 and (
10 any(ml.logo_detect(.).brands,
11 .name == "DocuSign" and .confidence in ("medium", "high")
12 )
13 or any(ml.logo_detect(beta.message_screenshot()).brands,
14 .name == "DocuSign"
15 )
16 )
17 and (
18 any(file.explode(.),
19 (
20 (
21 .scan.qr.type is not null
22 and regex.contains(.scan.qr.data, '\.')
23 )
24 or
25 // QR code language
26 (
27 regex.icontains(.scan.ocr.raw, 'scan|camera')
28 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
29 )
30 )
31
32 // exclude images taken with mobile cameras and screenshots from android
33 and not any(.scan.exiftool.fields,
34 .key == "Model"
35 or (
36 .key == "Software"
37 and strings.starts_with(.value, "Android")
38 )
39 )
40 // exclude images taken with mobile cameras and screenshots from Apple
41 and not any(.scan.exiftool.fields,
42 .key == "DeviceManufacturer"
43 and .value == "Apple Computer Inc."
44 )
45 )
46 )
47 )
48 and (
49 not any(headers.hops,
50 .authentication_results.compauth.verdict is not null
51 and .authentication_results.compauth.verdict == "pass"
52 and sender.email.domain.root_domain in (
53 "docusign.net",
54 "docusign.com"
55 )
56 )
57 )
58 and (
59 not profile.by_sender().solicited
60 or (
61 profile.by_sender().any_messages_malicious_or_spam
62 and not profile.by_sender().any_false_positives
63 )
64 )
65
66attack_types:
67 - "Credential Phishing"
68tactics_and_techniques:
69 - "Impersonation: Brand"
70 - "PDF"
71 - "QR code"
72 - "Social engineering"
73detection_methods:
74 - "Computer Vision"
75 - "Header analysis"
76 - "QR code analysis"
77 - "Sender analysis"
78id: "0b16c28a-3f7e-5a90-bea5-473198424431"