Brand impersonation: DocuSign branded attachment lure with no DocuSign links

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: DocuSign branded attachment lure with no DocuSign links"
  2description: "Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      0 < length(attachments) <= 8
 10      and length(filter(attachments, .file_type in $file_types_images)) > 0
 11    )
 12    or (
 13      length(attachments) > 0
 14      and all(attachments,
 15              .file_type in $file_types_images or .file_type == 'pdf'
 16      )
 17    )
 18  )
 19  and (
 20    // if there are links, ensure they are not docusign links
 21    (
 22      length(body.links) != 0
 23      and any(body.links,
 24              not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 25      )
 26    )
 27    // sometimes there are no body links and it's all in the PDF attachment
 28    or length(body.links) == 0
 29  )
 30  and (
 31    // check the image or pdf attachments for Docusign 
 32    any(filter(attachments,
 33               .file_type in $file_types_images or .file_type == 'pdf'
 34        ),
 35        (
 36          any(ml.logo_detect(.).brands, .name == "DocuSign")
 37          or any(file.explode(.),
 38                 strings.ilike(.scan.ocr.raw, "*DocuSign*")
 39                 and (
 40                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
 41                       .name == "cred_theft" and .confidence != "low"
 42                   )
 43                   or (
 44                     regex.icontains(.scan.ocr.raw,
 45                                     "((re)?view|access|complete(d)?) document(s)?",
 46                                     '[^d][^o][^cd][^ue]sign(?:\b|ature)',
 47                                     "important edocs",
 48                                     // German (Document (check|check|sign|sent))
 49                                     "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
 50                                     // German (important|urgent|immediate)
 51                                     "(wichtig|dringend|sofort)"
 52                     )
 53                     and not strings.count(.scan.ocr.raw, "\n\n\n\n\n\n\n\n\n\n") > 3
 54                   )
 55                 )
 56          )
 57        )
 58        and not any(file.explode(.),
 59                    strings.ilike(.scan.ocr.raw, "*DocuSign Envelope ID*")
 60                    or strings.ilike(.scan.ocr.raw, "*Certificate Of Completion*")
 61                    or (
 62                      .depth == 0
 63                      and .scan.exiftool.page_count > 10
 64                      and length(.scan.strings.strings) > 8000
 65                    )
 66        )
 67    )
 68
 69    // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
 70    or any(attachments,
 71           (
 72             .file_type =~ "gif"
 73             or any(file.explode(.),
 74                    any(.scan.exiftool.fields,
 75                        .key == "Warning" and .value == "Truncated PNG image"
 76                    )
 77             )
 78           )
 79           and (
 80             any(ml.logo_detect(beta.message_screenshot()).brands,
 81                 (
 82                   .name == "DocuSign"
 83                   or any(file.explode(beta.message_screenshot()),
 84                          strings.ilike(.scan.ocr.raw, "*DocuSign*")
 85                   )
 86                 )
 87             )
 88             and (
 89               any(file.explode(beta.message_screenshot()),
 90                   (
 91                     any(ml.nlu_classifier(.scan.ocr.raw).intents,
 92                         .name == "cred_theft" and .confidence != "low"
 93                     )
 94                     or regex.icontains(.scan.ocr.raw,
 95                                        "((re)?view|access|complete(d)?) document(s)?",
 96                                        "[^d][^o][^c][^u]sign",
 97                                        "important edocs",
 98                                        // German (Document (check|check|sign|sent))
 99                                        "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
100                                        // German (important|urgent|immediate)
101                                        "(wichtig|dringend|sofort)"
102                     )
103                   )
104               )
105             )
106             and not any(file.explode(beta.message_screenshot()),
107                         (
108                           strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
109                           and not strings.ilike(.scan.ocr.raw,
110                                                 "*DocuSign Envelope ID*"
111                           )
112                           and not strings.ilike(.scan.ocr.raw,
113                                                 "*Certificate Of Completion*"
114                           )
115                         )
116             )
117           )
118    )
119  )
120  and (
121    not profile.by_sender().solicited
122    or (
123      profile.by_sender().any_messages_malicious_or_spam
124      and not profile.by_sender().any_false_positives
125    )
126  )
127  and not profile.by_sender().any_false_positives
128
129  // negate docusign 'via' messages
130  and not (
131    any(headers.hops,
132        any(.fields,
133            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
134        )
135    )
136    and strings.contains(sender.display_name, "via")
137  )
138  
139  // negate docusign originated emails
140  and not any(headers.hops,
141              regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
142  )  
143attack_types:
144  - "Credential Phishing"
145tactics_and_techniques:
146  - "Impersonation: Brand"
147  - "Social engineering"
148detection_methods:
149  - "Computer Vision"
150  - "Content analysis"
151  - "Header analysis"
152  - "Natural Language Understanding"
153  - "Optical Character Recognition"
154  - "Sender analysis"
155  - "URL screenshot"
156id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"
to-top