Brand impersonation: DocuSign branded attachment lure with no DocuSign links

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: DocuSign branded attachment lure with no DocuSign links"
  2description: "Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(attachments) <= 8
 10      and length(filter(attachments, .file_type in $file_types_images)) > 0
 11    )
 12    or (
 13      length(attachments) > 0
 14      and all(attachments,
 15              .file_type in $file_types_images or .file_type == 'pdf'
 16      )
 17    )
 18  )
 19  and (
 20    // if there are links, ensure they are not docusign links
 21    (
 22      length(body.links) != 0
 23      and any(body.links,
 24              not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 25      )
 26    )
 27    // sometimes there are no body links and it's all in the PDF attachment
 28    or length(body.links) == 0
 29  )
 30  and (
 31    // check the image or pdf attachments for Docusign 
 32    any(filter(attachments,
 33               .file_type in $file_types_images or .file_type == 'pdf'
 34        ),
 35        (
 36          any(ml.logo_detect(.).brands, .name == "DocuSign")
 37          or any(file.explode(.),
 38                 strings.ilike(.scan.ocr.raw, "*DocuSign*")
 39                 and (
 40                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
 41                       .name == "cred_theft" and .confidence != "low"
 42                   )
 43                   or (
 44                     regex.icontains(.scan.ocr.raw,
 45                                     "((re)?view|access|complete(d)?) document(s)?",
 46                                     '[^d][^o][^cd][^ue]sign(?:\b|ature)',
 47                                     "important edocs",
 48                                     // German (Document (check|check|sign|sent))
 49                                     "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
 50                                     // German (important|urgent|immediate)
 51                                     "(wichtig|dringend|sofort)"
 52                     )
 53                     and not strings.count(.scan.ocr.raw, "\n\n\n\n\n\n\n\n\n\n") > 3
 54                   )
 55                 )
 56          )
 57        )
 58        and not any(file.explode(.),
 59                    strings.ilike(.scan.ocr.raw,
 60                                  "*DocuSigned By*",
 61                                  "*DocuSign Envelope ID*",
 62                                  "*Certificate Of Completion*",
 63                                  "*Adobe Sign*",
 64                                  // Additional Adobe Acrobat Sign check
 65                                  "*Powered by\nAdobe\nAcrobat Sign*"
 66                    )
 67                    or (
 68                      .depth == 0
 69                      and (
 70                        (
 71                          .scan.exiftool.page_count > 10
 72                          and length(.scan.strings.strings) > 8000
 73                        )
 74                        or (
 75                          .scan.exiftool.producer == "Acrobat Sign"
 76                          and any(.scan.exiftool.fields,
 77                                  .key == "SigningReason"
 78                                  and .value == "Certified by Adobe Acrobat Sign"
 79                          )
 80                        )
 81                      )
 82                    )
 83                    // negate resume related messages
 84                    or (
 85                      any(ml.nlu_classifier(body.current_thread.text).topics,
 86                          .name == "Professional and Career Development"
 87                          and .confidence == "high"
 88                      )
 89                      and any(ml.nlu_classifier(.scan.ocr.raw).intents,
 90                              .name == "benign" and .confidence != "low"
 91                      )
 92                    )
 93        )
 94    )
 95  
 96    // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
 97    or (
 98      any(attachments,
 99          (
100            .file_type =~ "gif"
101            or any(file.explode(.),
102                   any(.scan.exiftool.fields,
103                       .key == "Warning" and .value == "Truncated PNG image"
104                   )
105            )
106          )
107      )
108      and (
109        any(ml.logo_detect(beta.message_screenshot()).brands,
110            (
111              .name == "DocuSign"
112              or any(file.explode(beta.message_screenshot()),
113                     strings.ilike(.scan.ocr.raw, "*DocuSign*")
114              )
115            )
116        )
117        and (
118          any(file.explode(beta.message_screenshot()),
119              (
120                any(ml.nlu_classifier(.scan.ocr.raw).intents,
121                    .name == "cred_theft" and .confidence != "low"
122                )
123                or regex.icontains(.scan.ocr.raw,
124                                   "((re)?view|access|complete(d)?) document(s)?",
125                                   "[^d][^o][^c][^u]sign",
126                                   "important edocs",
127                                   // German (Document (check|check|sign|sent))
128                                   "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
129                                   // German (important|urgent|immediate)
130                                   "(wichtig|dringend|sofort)"
131                )
132              )
133          )
134        )
135        and not any(file.explode(beta.message_screenshot()),
136                    strings.ilike(.scan.ocr.raw,
137                                  "*DocuSigned By*",
138                                  "*DocuSign Envelope ID*",
139                                  "*Certificate Of Completion*",
140                                  "*Adobe Sign*"
141                    )
142        )
143      )
144    )
145  )
146  and (
147    not profile.by_sender_email().solicited
148    or profile.by_sender_email().prevalence == "new"
149    or (
150      profile.by_sender_email().any_messages_malicious_or_spam
151      and not profile.by_sender_email().any_messages_benign
152    )
153  )
154  and not profile.by_sender_email().any_messages_benign
155  
156  // negate docusign 'via' messages
157  and not (
158    any(headers.hops,
159        any(.fields,
160            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
161        )
162    )
163    and strings.contains(sender.display_name, "via")
164  )
165  // negate docusign originated emails
166  and not any(headers.hops,
167              regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
168  )
169  
170  // negate replies to docusign notifications
171  and not any(headers.references, strings.iends_with(., '@camail.docusign.net'))  
172
173attack_types:
174  - "Credential Phishing"
175tactics_and_techniques:
176  - "Impersonation: Brand"
177  - "Social engineering"
178detection_methods:
179  - "Computer Vision"
180  - "Content analysis"
181  - "Header analysis"
182  - "Natural Language Understanding"
183  - "Optical Character Recognition"
184  - "Sender analysis"
185  - "URL screenshot"
186id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"
to-top