Brand Impersonation: DocuSign with embedded QR code

 1name: "Brand Impersonation: DocuSign with embedded QR code"
 2description: "This rule detects unsolicited messages with short bodies containing a DocuSign logo, QR code language and an embedded QR code."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and length(attachments) == 0
 9  and (
10    regex.icontains(body.current_thread.text, '\bQ(\.)?R(\.)?\b')
11    and regex.icontains(body.current_thread.text, "scan|mobile|camera")
12    and any(ml.logo_detect(beta.message_screenshot()).brands,
13            strings.starts_with(.name, "DocuSign")
14            and any(file.explode(beta.message_screenshot()),
15                    .scan.qr.type is not null
16                    and regex.contains(.scan.qr.data, '\.')
17            )
18    )
19  )
20  
21  and (
22    not profile.by_sender().solicited
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_false_positives
26    )
27  )
28  and not profile.by_sender().any_false_positives
29  
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and not headers.auth_summary.dmarc.pass
35    )
36    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
37  )
38    
39
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Evasion"
44  - "Image as content"
45  - "Impersonation: Brand"
46  - "QR code"
47detection_methods:
48  - "Computer Vision"
49  - "Content analysis"
50  - "QR code analysis"
51  - "Sender analysis"
52id: "f5cde463-68ed-5dd5-a806-7a835f0b4d7c"