Attachment: DocuSign impersonation via PDF linking to new domain

calendar Jan 12, 2026  ยท
Share on: linkedin copy

This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)

Sublime rule (View on GitHub)

 1name: "Attachment: DocuSign impersonation via PDF linking to new domain"
 2description: "This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          and any(ml.logo_detect(.).brands, .name == "DocuSign")
10          and any(file.explode(.),
11                  any(.scan.pdf.urls, network.whois(.domain).days_old <= 3)
12          )
13  )
14  
15  // negate highly trusted sender domains unless they fail DMARC authentication
16  and (
17    (
18      sender.email.domain.root_domain in $high_trust_sender_root_domains
19      and not headers.auth_summary.dmarc.pass
20    )
21    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
22  )
23  
24  // excludes senders that contain "via" in the display name a resilient way
25  and not (
26    any(headers.hops,
27        any(.fields,
28            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
29        )
30    )
31  )  
32attack_types:
33  - "Credential Phishing"
34tactics_and_techniques:
35  - "Impersonation: Brand"
36  - "PDF"
37  - "Social engineering"
38detection_methods:
39  - "Header analysis"
40  - "Sender analysis"
41  - "URL analysis"
42  - "File analysis"
43  - "Computer Vision"
44  - "Whois"
45id: "f0c96282-6eb9-5e84-aa9d-a48f66db5a74"
to-top