Brand impersonation: DocuSign (QR code)

calendar Nov 9, 2023  ·
Share on: linkedin copy

Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DocuSign (QR code)"
 2description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (.file_type in $file_types_images or .file_type == "pdf")
 9          and (
10            any(ml.logo_detect(.).brands,
11                .name == "DocuSign" and .confidence in ("medium", "high")
12            )
13            or any(ml.logo_detect(beta.message_screenshot()).brands,
14                   .name == "DocuSign"
15            )
16          )
17  )
18  and any(attachments,
19          (
20            .file_type in $file_types_images
21            or .file_type == "pdf"
22            or .file_type in $file_extensions_macros
23          )
24          and (
25            any(file.explode(.),
26                regex.icontains(.scan.ocr.raw, 'scan|camera')
27                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
28            )
29            or (
30              any(file.explode(.),
31                  .scan.qr.type == "url"
32                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
33                  and any(recipients.to,
34                          strings.icontains(..scan.qr.data, .email.email)
35  
36                          // the recipients sld is in the senders display name
37                          or any(recipients.to,
38                                 strings.icontains(sender.display_name,
39                                                   .email.domain.sld
40                                 )
41                          )
42  
43                          // the recipient local is in the body  
44                          or any(recipients.to,
45                                 strings.icontains(body.current_thread.text,
46                                                   .email.local_part
47                                 )
48                          )
49  
50                          // or the body is null 
51                          or body.current_thread.text is null
52                          or body.current_thread.text == ""
53  
54                          // or the subject contains authentication/urgency verbiage
55                          or regex.contains(subject.subject,
56                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
57                          )
58                  )
59              )
60            )
61          )
62  )
63  
64  and (
65    not any(headers.hops,
66            .authentication_results.compauth.verdict is not null
67            and .authentication_results.compauth.verdict == "pass"
68            and sender.email.domain.root_domain in ("docusign.net", "docusign.com")
69    )
70  )
71  and (
72    not profile.by_sender().solicited
73    or (
74      profile.by_sender().any_messages_malicious_or_spam
75      and not profile.by_sender().any_false_positives
76    )
77  )
78    
79attack_types:
80  - "Credential Phishing"
81tactics_and_techniques:
82  - "Impersonation: Brand"
83  - "PDF"
84  - "QR code"
85  - "Social engineering"
86detection_methods:
87  - "Computer Vision"
88  - "Header analysis"
89  - "QR code analysis"
90  - "Sender analysis"
91id: "0b16c28a-3f7e-5a90-bea5-473198424431"
to-top