Attachment: DocuSign image lure with no DocuSign domains in links
Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender.
Sublime rule (View on GitHub)
1name: "Attachment: DocuSign image lure with no DocuSign domains in links"
2description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(filter(attachments, .file_type not in $file_types_images)) == 0
8 and any(body.links, not strings.ilike(.href_url.domain.root_domain, "docusign.*"))
9 and any(attachments,
10 (
11 any(ml.logo_detect(.).brands, .name == "DocuSign" and .confidence in ("medium", "high"))
12 or any(file.explode(.),
13 strings.ilike(.scan.ocr.raw, "*DocuSign*")
14 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
15 .name == "cred_theft" and .confidence != "low"
16 )
17 )
18 )
19 and any(file.explode(.),
20 regex.icontains(.scan.ocr.raw,
21 "review document",
22 "[^d][^o][^c][^u]sign",
23 "important edocs",
24 "completed document"
25 )
26 )
27 )
28 and (
29 not profile.by_sender().solicited
30 or (
31 profile.by_sender().any_messages_malicious_or_spam
32 and not profile.by_sender().any_false_positives
33 )
34 )
35 and not profile.by_sender().any_false_positives
36attack_types:
37 - "Credential Phishing"
38tactics_and_techniques:
39 - "Impersonation: Brand"
40 - "Social engineering"
41detection_methods:
42 - "Computer Vision"
43 - "Content analysis"
44 - "Header analysis"
45 - "Natural Language Understanding"
46 - "Optical Character Recognition"
47 - "Sender analysis"
48 - "URL screenshot"
49id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"