Brand impersonation: DocuSign image attachment lure with no DocuSign links
Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo attached, from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DocuSign image attachment lure with no DocuSign links"
2description: "Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo attached, from an untrusted sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(attachments) <= 8
10 and length(filter(attachments, .file_type in $file_types_images)) > 0
11 )
12 or (
13 length(attachments) > 0
14 and all(attachments, .file_type in $file_types_images)
15 )
16 )
17 and any(body.links,
18 not strings.ilike(.href_url.domain.root_domain, "docusign.*")
19 )
20 and (
21 any(attachments,
22 (
23 any(ml.logo_detect(.).brands, .name == "DocuSign")
24 or any(file.explode(.),
25 strings.ilike(.scan.ocr.raw, "*DocuSign*")
26 and (
27 any(ml.nlu_classifier(.scan.ocr.raw).intents,
28 .name == "cred_theft" and .confidence != "low"
29 )
30 or regex.icontains(.scan.ocr.raw,
31 "((re)?view|access|complete(d)?) document(s)?",
32 "[^d][^o][^c][^u]sign",
33 "important edocs",
34 // German (Document (check|check|sign|sent))
35 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
36 // German (important|urgent|immediate)
37 "(wichtig|dringend|sofort)"
38 )
39 )
40 )
41 )
42 and not any(file.explode(.),
43 (
44 strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
45 and not strings.ilike(.scan.ocr.raw,
46 "*DocuSign Envelope ID*"
47 )
48 )
49 )
50 )
51
52 // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
53 or any(attachments,
54 (
55 .file_type =~ "gif"
56 or any(file.explode(.),
57 any(.scan.exiftool.fields,
58 .key == "Warning" and .value == "Truncated PNG image"
59 )
60 )
61 )
62 and (
63 any(ml.logo_detect(beta.message_screenshot()).brands,
64 (
65 .name == "DocuSign"
66 or any(file.explode(beta.message_screenshot()),
67 strings.ilike(.scan.ocr.raw, "*DocuSign*")
68 )
69 )
70 )
71 and (
72 any(file.explode(beta.message_screenshot()),
73 (
74 any(ml.nlu_classifier(.scan.ocr.raw).intents,
75 .name == "cred_theft" and .confidence != "low"
76 )
77 or regex.icontains(.scan.ocr.raw,
78 "((re)?view|access|complete(d)?) document(s)?",
79 "[^d][^o][^c][^u]sign",
80 "important edocs",
81 // German (Document (check|check|sign|sent))
82 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
83 // German (important|urgent|immediate)
84 "(wichtig|dringend|sofort)"
85 )
86 )
87 )
88 )
89 and not any(file.explode(beta.message_screenshot()),
90 (
91 strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
92 and not strings.ilike(.scan.ocr.raw,
93 "*DocuSign Envelope ID*"
94 )
95 )
96 )
97 )
98 )
99 )
100 and (
101 not profile.by_sender().solicited
102 or (
103 profile.by_sender().any_messages_malicious_or_spam
104 and not profile.by_sender().any_false_positives
105 )
106 )
107 and not profile.by_sender().any_false_positives
108
109 // negate docusign 'via' messages
110 and not (
111 any(headers.hops,
112 any(.fields,
113 .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
114 )
115 )
116 and strings.contains(sender.display_name, "via")
117 )
118
119 // negate docusign originated emails
120 and not any(headers.hops,
121 regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
122 )
123
124attack_types:
125 - "Credential Phishing"
126tactics_and_techniques:
127 - "Impersonation: Brand"
128 - "Social engineering"
129detection_methods:
130 - "Computer Vision"
131 - "Content analysis"
132 - "Header analysis"
133 - "Natural Language Understanding"
134 - "Optical Character Recognition"
135 - "Sender analysis"
136 - "URL screenshot"
137id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"