Brand Impersonation: DocuSign pdf attachment with suspicious link

calendar Feb 3, 2025  ·
Share on: linkedin copy

This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: DocuSign pdf attachment with suspicious link"
 2description: "This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          and any(ml.logo_detect(.).brands, .name == "DocuSign")
10          and any(file.explode(.),
11                  length(.scan.url.urls) <=9
12                  and any(.scan.url.urls,
13                          .domain.root_domain not in $tranco_1m
14                          and .domain.root_domain not in $org_domains
15                          and .domain.root_domain != "sublimesecurity.com"
16                          and not strings.ilike(.domain.root_domain, "docusign.*")
17                  )
18                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
19                          .name == "org" and .text == "DocuSign"
20                  )
21                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
22                          .name == "request"
23                  )
24          )
25  )
26    
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "PDF"
32  - "Social engineering"
33detection_methods:
34  - "File analysis"
35  - "Natural Language Understanding"
36  - "Optical Character Recognition"
37  - "URL analysis"
38id: "2601cbb7-0a07-5289-a32f-68c0db3c3170"
to-top