Brand impersonation: DocuSign with embedded QR code

 1name: "Brand impersonation: DocuSign with embedded QR code"
 2description: "This rule detects unsolicited messages with short bodies containing a DocuSign logo, QR code language and an embedded QR code."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and length(attachments) == 0
 9  and regex.icontains(body.current_thread.text, '\bQ(\.)?R(\.)?\b')
10  and regex.icontains(body.current_thread.text, "scan|mobile|camera")
11  and any(ml.logo_detect(file.message_screenshot()).brands,
12          strings.starts_with(.name, "DocuSign")
13  )
14  //
15  // This rule makes use of a beta feature and is subject to change without notice
16  // using the beta feature in custom rules is not suggested until it has been formally released
17  //
18  and any(beta.scan_qr(file.message_screenshot()).items,
19          .type is not null and regex.contains(.data, '\.')
20  )
21  // negate highly trusted sender domains unless they fail DMARC authentication
22  and (
23    (
24      sender.email.domain.root_domain in $high_trust_sender_root_domains
25      and not headers.auth_summary.dmarc.pass
26    )
27    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
28  )  
29attack_types:
30  - "Credential Phishing"
31tactics_and_techniques:
32  - "Evasion"
33  - "Image as content"
34  - "Impersonation: Brand"
35  - "QR code"
36detection_methods:
37  - "Computer Vision"
38  - "Content analysis"
39  - "QR code analysis"
40  - "Sender analysis"
41id: "f5cde463-68ed-5dd5-a806-7a835f0b4d7c"