Brand impersonation: Xodo Sign

calendar Jan 16, 2026  ยท
Share on: linkedin copy

Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Xodo Sign"
 2description: "Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, "processed by xodo sign")
 8  and not (
 9    sender.email.domain.root_domain == "eversign.com"
10    and headers.auth_summary.dmarc.pass
11  )  
12
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Impersonation: Brand"
17  - "Social engineering"
18detection_methods:
19  - "Content analysis"
20  - "Header analysis"
21  - "Sender analysis"
22id: "e6139052-6ec8-5d3c-91e1-13ab1ae2d536"
to-top