Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d

 1name: "Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d"
 2description: "This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          and any(ml.logo_detect(.).brands, .name == "DocuSign")
10          and any(file.explode(.), any(.scan.pdf.urls, beta.whois(.domain).days_old <= 3))
11  )
12  
13  // negate legitimate docusign infrastructure
14  and
15    (
16      (
17        sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
18        and (
19          any(distinct(headers.hops, .authentication_results.dmarc is not null),
20              strings.ilike(.authentication_results.dmarc, "*fail")
21          )
22        )
23      )
24      or sender.email.domain.root_domain not in ('docusign.net', 'docusign.com')
25    )
26    
27  // excludes senders that contain "via" in the display name a resilient way
28  and not (
29    any(headers.hops,
30        any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net"))
31    )
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Impersonation: Brand"
37  - "PDF"
38  - "Social engineering"
39detection_methods:
40  - "Header analysis"
41  - "Sender analysis"
42  - "URL analysis"
43  - "File analysis"
44  - "Computer Vision"
45  - "Whois"
46id: "f0c96282-6eb9-5e84-aa9d-a48f66db5a74"