Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d

 1name: "Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d"
 2description: "This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          and any(ml.logo_detect(.).brands, .name == "DocuSign")
10          and any(file.explode(.), any(.scan.pdf.urls, network.whois(.domain).days_old <= 3))
11  )
12  
13  // negate highly trusted sender domains unless they fail DMARC authentication
14  and (
15    (
16      sender.email.domain.root_domain in $high_trust_sender_root_domains
17      and not headers.auth_summary.dmarc.pass
18    )
19    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
20  )
21    
22  // excludes senders that contain "via" in the display name a resilient way
23  and not (
24    any(headers.hops,
25        any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net"))
26    )
27  )  
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Impersonation: Brand"
32  - "PDF"
33  - "Social engineering"
34detection_methods:
35  - "Header analysis"
36  - "Sender analysis"
37  - "URL analysis"
38  - "File analysis"
39  - "Computer Vision"
40  - "Whois"
41id: "f0c96282-6eb9-5e84-aa9d-a48f66db5a74"