Brand impersonation: DocuSign branded attachment lure with no DocuSign links
Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DocuSign branded attachment lure with no DocuSign links"
2description: "Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 (
9 0 < length(attachments) <= 8
10 and length(filter(attachments, .file_type in $file_types_images)) > 0
11 )
12 or (
13 length(attachments) > 0
14 and all(attachments,
15 .file_type in $file_types_images or .file_type == 'pdf'
16 )
17 )
18 )
19 and (
20 // if there are links, ensure they are not docusign links
21 (
22 length(body.links) != 0
23 and any(body.links,
24 not strings.ilike(.href_url.domain.root_domain, "docusign.*")
25 )
26 )
27 // sometimes there are no body links and it's all in the PDF attachment
28 or length(body.links) == 0
29 )
30 and (
31 // check the image or pdf attachments for Docusign
32 any(filter(attachments,
33 .file_type in $file_types_images or .file_type == 'pdf'
34 ),
35 (
36 any(ml.logo_detect(.).brands, .name == "DocuSign")
37 or any(file.explode(.),
38 strings.ilike(.scan.ocr.raw, "*DocuSign*")
39 and (
40 any(ml.nlu_classifier(.scan.ocr.raw).intents,
41 .name == "cred_theft" and .confidence != "low"
42 )
43 or (
44 regex.icontains(.scan.ocr.raw,
45 "((re)?view|access|complete(d)?) document(s)?",
46 "[^d][^o][^cd][^ue]sign",
47 "important edocs",
48 // German (Document (check|check|sign|sent))
49 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
50 // German (important|urgent|immediate)
51 "(wichtig|dringend|sofort)"
52 )
53 and not strings.count(.scan.ocr.raw, "\n\n\n\n\n\n\n\n\n\n") > 3
54 )
55 )
56 )
57 )
58 and not any(file.explode(.),
59 (
60 strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
61 and not strings.ilike(.scan.ocr.raw,
62 "*DocuSign Envelope ID*"
63 )
64 )
65 or (.depth == 0 and .scan.exiftool.page_count > 10 and length(.scan.strings.strings) > 8000)
66 )
67 )
68
69 // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
70 or any(attachments,
71 (
72 .file_type =~ "gif"
73 or any(file.explode(.),
74 any(.scan.exiftool.fields,
75 .key == "Warning" and .value == "Truncated PNG image"
76 )
77 )
78 )
79 and (
80 any(ml.logo_detect(beta.message_screenshot()).brands,
81 (
82 .name == "DocuSign"
83 or any(file.explode(beta.message_screenshot()),
84 strings.ilike(.scan.ocr.raw, "*DocuSign*")
85 )
86 )
87 )
88 and (
89 any(file.explode(beta.message_screenshot()),
90 (
91 any(ml.nlu_classifier(.scan.ocr.raw).intents,
92 .name == "cred_theft" and .confidence != "low"
93 )
94 or regex.icontains(.scan.ocr.raw,
95 "((re)?view|access|complete(d)?) document(s)?",
96 "[^d][^o][^c][^u]sign",
97 "important edocs",
98 // German (Document (check|check|sign|sent))
99 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
100 // German (important|urgent|immediate)
101 "(wichtig|dringend|sofort)"
102 )
103 )
104 )
105 )
106 and not any(file.explode(beta.message_screenshot()),
107 (
108 strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
109 and not strings.ilike(.scan.ocr.raw,
110 "*DocuSign Envelope ID*"
111 )
112 )
113 )
114 )
115 )
116 )
117 and (
118 not profile.by_sender().solicited
119 or (
120 profile.by_sender().any_messages_malicious_or_spam
121 and not profile.by_sender().any_false_positives
122 )
123 )
124 and not profile.by_sender().any_false_positives
125
126 // negate docusign 'via' messages
127 and not (
128 any(headers.hops,
129 any(.fields,
130 .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
131 )
132 )
133 and strings.contains(sender.display_name, "via")
134 )
135
136 // negate docusign originated emails
137 and not any(headers.hops,
138 regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
139 )
140attack_types:
141 - "Credential Phishing"
142tactics_and_techniques:
143 - "Impersonation: Brand"
144 - "Social engineering"
145detection_methods:
146 - "Computer Vision"
147 - "Content analysis"
148 - "Header analysis"
149 - "Natural Language Understanding"
150 - "Optical Character Recognition"
151 - "Sender analysis"
152 - "URL screenshot"
153id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"