Attachment: DocuSign image lure with no DocuSign domains in links
Detects DocuSign phishing emails with image attachments and short message bodies.
Sublime rule (View on GitHub)
1name: "Attachment: DocuSign image lure with no DocuSign domains in links"
2description: "Detects DocuSign phishing emails with image attachments and short message bodies."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.html.inner_text) < 100
8 and length(body.links) < 5
9 and any(body.links, not strings.ilike(.href_url.domain.root_domain, "docusign.*"))
10
11 and any(attachments, .file_extension in~ ('png','jpg','jpeg')
12 and any(file.explode(.),
13 any(.scan.strings.strings, strings.ilike(., "*docusign*"))
14 and any(.scan.strings.strings, strings.ilike(., "*review*", "*sign*"))
15 )
16 )
17tags:
18 - "Suspicious link"
19 - "Brand impersonation"