Brand impersonation: DocuSign branded attachment lure with no DocuSign links

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: DocuSign branded attachment lure with no DocuSign links"
  2description: "Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(attachments) <= 8
 10      and length(filter(attachments, .file_type in $file_types_images)) > 0
 11    )
 12    or (
 13      length(attachments) > 0
 14      and all(attachments,
 15              .file_type in $file_types_images or .file_type == 'pdf'
 16      )
 17    )
 18  )
 19  and (
 20    // if there are links, ensure they are not docusign links
 21    (
 22      length(body.links) != 0
 23      and any(body.links,
 24              not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 25      )
 26    )
 27    // sometimes there are no body links and it's all in the PDF attachment
 28    or length(body.links) == 0
 29  )
 30  and (
 31    // check the image or pdf attachments for Docusign 
 32    any(filter(attachments,
 33               .file_type in $file_types_images or .file_type == 'pdf'
 34        ),
 35        (
 36          any(ml.logo_detect(.).brands, .name == "DocuSign")
 37          or any(file.explode(.),
 38                 strings.ilike(.scan.ocr.raw, "*DocuSign*")
 39                 and (
 40                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
 41                       .name == "cred_theft" and .confidence != "low"
 42                   )
 43                   or (
 44                     regex.icontains(.scan.ocr.raw,
 45                                     "((re)?view|access|complete(d)?) document(s)?",
 46                                     "[^d][^o][^cd][^ue]sign",
 47                                     "important edocs",
 48                                     // German (Document (check|check|sign|sent))
 49                                     "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
 50                                     // German (important|urgent|immediate)
 51                                     "(wichtig|dringend|sofort)"
 52                     )
 53                     and not strings.count(.scan.ocr.raw, "\n\n\n\n\n\n\n\n\n\n") > 3
 54                   )
 55                 )
 56          )
 57        )
 58        and not any(file.explode(.),
 59                    (
 60                      strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
 61                      and not strings.ilike(.scan.ocr.raw,
 62                                            "*DocuSign Envelope ID*"
 63                      )
 64                    )
 65                    or (.depth == 0 and .scan.exiftool.page_count > 10 and length(.scan.strings.strings) > 8000)
 66        )
 67    )
 68
 69    // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
 70    or any(attachments,
 71           (
 72             .file_type =~ "gif"
 73             or any(file.explode(.),
 74                    any(.scan.exiftool.fields,
 75                        .key == "Warning" and .value == "Truncated PNG image"
 76                    )
 77             )
 78           )
 79           and (
 80             any(ml.logo_detect(beta.message_screenshot()).brands,
 81                 (
 82                   .name == "DocuSign"
 83                   or any(file.explode(beta.message_screenshot()),
 84                          strings.ilike(.scan.ocr.raw, "*DocuSign*")
 85                   )
 86                 )
 87             )
 88             and (
 89               any(file.explode(beta.message_screenshot()),
 90                   (
 91                     any(ml.nlu_classifier(.scan.ocr.raw).intents,
 92                         .name == "cred_theft" and .confidence != "low"
 93                     )
 94                     or regex.icontains(.scan.ocr.raw,
 95                                        "((re)?view|access|complete(d)?) document(s)?",
 96                                        "[^d][^o][^c][^u]sign",
 97                                        "important edocs",
 98                                        // German (Document (check|check|sign|sent))
 99                                        "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
100                                        // German (important|urgent|immediate)
101                                        "(wichtig|dringend|sofort)"
102                     )
103                   )
104               )
105             )
106             and not any(file.explode(beta.message_screenshot()),
107                         (
108                           strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
109                           and not strings.ilike(.scan.ocr.raw,
110                                                 "*DocuSign Envelope ID*"
111                           )
112                         )
113             )
114           )
115    )
116  )
117  and (
118    not profile.by_sender().solicited
119    or (
120      profile.by_sender().any_messages_malicious_or_spam
121      and not profile.by_sender().any_false_positives
122    )
123  )
124  and not profile.by_sender().any_false_positives
125
126  // negate docusign 'via' messages
127  and not (
128    any(headers.hops,
129        any(.fields,
130            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
131        )
132    )
133    and strings.contains(sender.display_name, "via")
134  )
135  
136  // negate docusign originated emails
137  and not any(headers.hops,
138              regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
139  )  
140attack_types:
141  - "Credential Phishing"
142tactics_and_techniques:
143  - "Impersonation: Brand"
144  - "Social engineering"
145detection_methods:
146  - "Computer Vision"
147  - "Content analysis"
148  - "Header analysis"
149  - "Natural Language Understanding"
150  - "Optical Character Recognition"
151  - "Sender analysis"
152  - "URL screenshot"
153id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"
to-top