Brand impersonation: DocuSign (QR code)

Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DocuSign (QR code)"
 2description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (.file_type in $file_types_images or .file_type == "pdf")
 9          and (
10            any(ml.logo_detect(.).brands,
11                .name == "DocuSign" and .confidence in ("medium", "high")
12            )
13            or any(ml.logo_detect(beta.message_screenshot()).brands,
14                   .name == "DocuSign"
15            )
16          )
17          and (
18            any(file.explode(.),
19                (
20                  (
21                    .scan.qr.type is not null
22                    and regex.contains(.scan.qr.data, '\.')
23                  )
24                  or 
25                  // QR code language
26                  ( 
27                    regex.icontains(.scan.ocr.raw, 'scan|camera')
28                    and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
29                  )
30                )
31  
32                // exclude images taken with mobile cameras and screenshots from android
33                and not any(.scan.exiftool.fields,
34                            .key == "Model"
35                            or (
36                              .key == "Software"
37                              and strings.starts_with(.value, "Android")
38                            )
39                )
40                // exclude images taken with mobile cameras and screenshots from Apple
41                and not any(.scan.exiftool.fields,
42                            .key == "DeviceManufacturer"
43                            and .value == "Apple Computer Inc."
44                )
45            )
46          )
47  )
48  and (
49    not any(headers.hops,
50            .authentication_results.compauth.verdict is not null
51            and .authentication_results.compauth.verdict == "pass"
52            and sender.email.domain.root_domain in (
53              "docusign.net",
54              "docusign.com"
55            )
56    )
57  )
58  and (
59    not profile.by_sender().solicited
60    or (
61      profile.by_sender().any_messages_malicious_or_spam
62      and not profile.by_sender().any_false_positives
63    )
64  )  
65
66attack_types:
67  - "Credential Phishing"
68tactics_and_techniques:
69  - "Impersonation: Brand"
70  - "PDF"
71  - "QR code"
72  - "Social engineering"
73detection_methods:
74  - "Computer Vision"
75  - "Header analysis"
76  - "QR code analysis"
77  - "Sender analysis"
78id: "0b16c28a-3f7e-5a90-bea5-473198424431"
to-top