Brand impersonation: DocuSign with embedded QR code

 1name: "Brand impersonation: DocuSign with embedded QR code"
 2description: "This rule detects unsolicited messages with short bodies containing a DocuSign logo, QR code language and an embedded QR code."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and length(attachments) == 0
 9  and regex.icontains(body.current_thread.text, '\bQ(\.)?R(\.)?\b')
10  and regex.icontains(body.current_thread.text, "scan|mobile|camera")
11  and any(ml.logo_detect(file.message_screenshot()).brands,
12          strings.starts_with(.name, "DocuSign")
13  )
14  //
15  // This rule makes use of a beta feature and is subject to change without notice
16  // using the beta feature in custom rules is not suggested until it has been formally released
17  //
18  and any(beta.scan_qr(file.message_screenshot()).items,
19          .type is not null and regex.contains(.data, '\.')
20  )
21  and (
22    not profile.by_sender().solicited
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_messages_benign
26    )
27  )
28  and not profile.by_sender().any_messages_benign
29  
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and not headers.auth_summary.dmarc.pass
35    )
36    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
37  )  
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Evasion"
42  - "Image as content"
43  - "Impersonation: Brand"
44  - "QR code"
45detection_methods:
46  - "Computer Vision"
47  - "Content analysis"
48  - "QR code analysis"
49  - "Sender analysis"
50id: "f5cde463-68ed-5dd5-a806-7a835f0b4d7c"