Brand impersonation: DocuSign (QR code)
Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DocuSign (QR code)"
2description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (.file_type in $file_types_images or .file_type == "pdf")
9 and (
10 any(ml.logo_detect(.).brands,
11 .name == "DocuSign" and .confidence in ("medium", "high")
12 )
13 or any(ml.logo_detect(file.message_screenshot()).brands,
14 .name == "DocuSign"
15 )
16 )
17 and (
18 any(file.explode(.),
19 (
20 (
21 .scan.qr.type is not null
22 and regex.contains(.scan.qr.data, '\.')
23 )
24 or
25 // QR code language
26 (
27 regex.icontains(.scan.ocr.raw, 'scan|camera')
28 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
29 )
30 )
31
32 // exclude images taken with mobile cameras and screenshots from android
33 and not any(.scan.exiftool.fields,
34 .key == "Model"
35 or (
36 .key == "Software"
37 and strings.starts_with(.value, "Android")
38 )
39 )
40 // exclude images taken with mobile cameras and screenshots from Apple
41 and not any(.scan.exiftool.fields,
42 .key == "DeviceManufacturer"
43 and .value == "Apple Computer Inc."
44 )
45 )
46 )
47 )
48 and not (
49 sender.email.domain.root_domain in ("docusign.net", "docusign.com")
50 and headers.auth_summary.dmarc.pass
51 )
52
53attack_types:
54 - "Credential Phishing"
55tactics_and_techniques:
56 - "Impersonation: Brand"
57 - "PDF"
58 - "QR code"
59 - "Social engineering"
60detection_methods:
61 - "Computer Vision"
62 - "Header analysis"
63 - "QR code analysis"
64 - "Sender analysis"
65id: "0b16c28a-3f7e-5a90-bea5-473198424431"