Brand impersonation: DocuSign branded attachment lure with no DocuSign links
Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DocuSign branded attachment lure with no DocuSign links"
2description: "Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(attachments) <= 8
10 and length(filter(attachments, .file_type in $file_types_images)) > 0
11 )
12 or (
13 length(attachments) > 0
14 and all(attachments,
15 .file_type in $file_types_images or .file_type == 'pdf'
16 )
17 )
18 )
19 and (
20 // if there are links, ensure they are not docusign links
21 (
22 length(body.links) != 0
23 and any(body.links,
24 not strings.ilike(.href_url.domain.root_domain, "docusign.*")
25 )
26 )
27 // sometimes there are no body links and it's all in the PDF attachment
28 or length(body.links) == 0
29 )
30 and (
31 // check the image or pdf attachments for Docusign
32 any(filter(attachments,
33 .file_type in $file_types_images or .file_type == 'pdf'
34 ),
35 (
36 any(ml.logo_detect(.).brands, .name == "DocuSign")
37 or any(file.explode(.),
38 strings.ilike(.scan.ocr.raw, "*DocuSign*")
39 and (
40 any(ml.nlu_classifier(.scan.ocr.raw).intents,
41 .name == "cred_theft" and .confidence != "low"
42 )
43 or (
44 regex.icontains(.scan.ocr.raw,
45 "((re)?view|access|complete(d)?) document(s)?",
46 '[^d][^o][^cd][^ue]sign(?:\b|ature)',
47 "important edocs",
48 // German (Document (check|check|sign|sent))
49 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
50 // German (important|urgent|immediate)
51 "(wichtig|dringend|sofort)"
52 )
53 and any(ml.nlu_classifier(.scan.ocr.raw).topics,
54 .name == "E-Signature"
55 )
56 and not strings.count(.scan.ocr.raw, "\n\n\n\n\n\n\n\n\n\n") > 3
57 )
58 )
59 )
60 )
61 and not any(file.explode(.),
62 strings.ilike(.scan.ocr.raw,
63 "*DocuSigned By*",
64 "*DocuSign Envelope ID*",
65 "*Certificate Of Completion*",
66 "*Adobe Sign*",
67 // Additional Adobe Acrobat Sign check
68 "*Powered by\nAdobe\nAcrobat Sign*"
69 )
70 or (
71 .depth == 0
72 and (
73 (
74 .scan.exiftool.page_count > 10
75 and length(.scan.strings.strings) > 8000
76 )
77 or (
78 .scan.exiftool.producer == "Acrobat Sign"
79 and any(.scan.exiftool.fields,
80 .key == "SigningReason"
81 and .value == "Certified by Adobe Acrobat Sign"
82 )
83 )
84 )
85 )
86 // negate resume related messages
87 or (
88 any(ml.nlu_classifier(body.current_thread.text).topics,
89 .name == "Professional and Career Development"
90 and .confidence == "high"
91 )
92 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
93 .name == "benign" and .confidence != "low"
94 )
95 )
96 )
97 )
98
99 // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
100 or (
101 any(attachments,
102 (
103 .file_type =~ "gif"
104 or any(file.explode(.),
105 any(.scan.exiftool.fields,
106 .key == "Warning" and .value == "Truncated PNG image"
107 )
108 )
109 )
110 )
111 and (
112 any(ml.logo_detect(file.message_screenshot()).brands,
113 (
114 .name == "DocuSign"
115 or any(file.explode(file.message_screenshot()),
116 strings.ilike(.scan.ocr.raw, "*DocuSign*")
117 )
118 )
119 )
120 and (
121 any(file.explode(file.message_screenshot()),
122 (
123 any(ml.nlu_classifier(.scan.ocr.raw).intents,
124 .name == "cred_theft" and .confidence != "low"
125 )
126 or regex.icontains(.scan.ocr.raw,
127 "((re)?view|access|complete(d)?) document(s)?",
128 "[^d][^o][^c][^u]sign",
129 "important edocs",
130 // German (Document (check|check|sign|sent))
131 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
132 // German (important|urgent|immediate)
133 "(wichtig|dringend|sofort)"
134 )
135 )
136 )
137 )
138 and not any(file.explode(file.message_screenshot()),
139 strings.ilike(.scan.ocr.raw,
140 "*DocuSigned By*",
141 "*DocuSign Envelope ID*",
142 "*Certificate Of Completion*",
143 "*Adobe Sign*"
144 )
145 )
146 )
147 )
148 )
149 and (
150 not profile.by_sender_email().solicited
151 or profile.by_sender_email().prevalence == "new"
152 or (
153 profile.by_sender_email().any_messages_malicious_or_spam
154 and not profile.by_sender_email().any_messages_benign
155 )
156 )
157 and not profile.by_sender_email().any_messages_benign
158
159 // negate docusign 'via' messages
160 and not (
161 any(headers.hops,
162 any(.fields,
163 .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
164 )
165 )
166 and strings.contains(sender.display_name, "via")
167 )
168 // negate docusign originated emails
169 and not any(headers.hops,
170 regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
171 )
172
173 // negate replies to docusign notifications
174 and not any(headers.references, strings.iends_with(., '@camail.docusign.net'))
175
176attack_types:
177 - "Credential Phishing"
178tactics_and_techniques:
179 - "Impersonation: Brand"
180 - "Social engineering"
181detection_methods:
182 - "Computer Vision"
183 - "Content analysis"
184 - "Header analysis"
185 - "Natural Language Understanding"
186 - "Optical Character Recognition"
187 - "Sender analysis"
188 - "URL screenshot"
189id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"