Attachment: DocuSign image lure with no DocuSign domains in links

 1name: "Attachment: DocuSign image lure with no DocuSign domains in links"
 2description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 8  and any(body.links, not strings.ilike(.href_url.domain.root_domain, "docusign.*"))
 9  and any(attachments,
10          (
11            any(ml.logo_detect(.).brands, .name == "DocuSign" and .confidence in ("medium", "high"))
12            or any(file.explode(.),
13                   strings.ilike(.scan.ocr.raw, "*DocuSign*")
14                   and any(ml.nlu_classifier(.scan.ocr.raw).intents,
15                       .name == "cred_theft" and .confidence != "low"
16                   )
17            )
18          )
19          and any(file.explode(.),
20                  regex.icontains(.scan.ocr.raw,
21                                  "review document",
22                                  "[^d][^o][^c][^u]sign",
23                                  "important edocs",
24                                  "completed document"
25                  )
26          )
27  )
28  and (
29    not profile.by_sender().solicited
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_false_positives
33    )
34  )
35  and not profile.by_sender().any_false_positives  
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Impersonation: Brand"
40  - "Social engineering"
41detection_methods:
42  - "Computer Vision"
43  - "Content analysis"
44  - "Header analysis"
45  - "Natural Language Understanding"
46  - "Optical Character Recognition"
47  - "Sender analysis"
48  - "URL screenshot"
49id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"