Attachment: DocuSign image lure with no DocuSign domains in links

Detects DocuSign phishing emails with image attachments and short message bodies.

Sublime rule (View on GitHub)

 1name: "Attachment: DocuSign image lure with no DocuSign domains in links"
 2description: "Detects DocuSign phishing emails with image attachments and short message bodies."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.html.inner_text) < 100
 8  and length(body.links) < 5
 9  and any(body.links, not strings.ilike(.href_url.domain.root_domain, "docusign.*"))
10  
11  and any(attachments, .file_extension in~ ('png','jpg','jpeg')
12      and any(file.explode(.),
13      any(.scan.strings.strings, strings.ilike(., "*docusign*"))
14       and any(.scan.strings.strings, strings.ilike(., "*review*", "*sign*"))
15      )
16  )  
17tags:
18  - "Suspicious link"
19  - "Brand impersonation"

Related rules

to-top