Callback phishing via DocuSign comment

calendar Aug 5, 2025  ·
Share on: linkedin copy

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Sublime rule (View on GitHub)

 1name: "Callback phishing via DocuSign comment"
 2description: |
 3    This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number. 
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(attachments) == 0
 9  
10  // Legitimate Docusign sending infratructure
11  and sender.email.domain.root_domain == 'docusign.net'
12  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
13  
14  // Docusign Logo 
15  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign")
16  
17  // Callback Phishing
18  and regex.icontains(body.current_thread.text,
19                      (
20                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
21                      )
22  )
23  and 3 of (
24    strings.ilike(body.current_thread.text, '*purchase*'),
25    strings.ilike(body.current_thread.text, '*payment*'),
26    strings.ilike(body.current_thread.text, '*transaction*'),
27    strings.ilike(body.current_thread.text, '*subscription*'),
28    strings.ilike(body.current_thread.text, '*antivirus*'),
29    strings.ilike(body.current_thread.text, '*order*'),
30    strings.ilike(body.current_thread.text, '*support*'),
31    strings.ilike(body.current_thread.text, '*help line*'),
32    strings.ilike(body.current_thread.text, '*receipt*'),
33    strings.ilike(body.current_thread.text, '*invoice*'),
34    strings.ilike(body.current_thread.text, '*call*'),
35    strings.ilike(body.current_thread.text, '*cancel*'),
36    strings.ilike(body.current_thread.text, '*renew*'),
37    strings.ilike(body.current_thread.text, '*refund*')
38  )
39  // phone number regex
40  and any([body.current_thread.text, subject.subject],
41          regex.icontains(.,
42                        '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
43                        '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
44        )
45  )  
46attack_types:
47  - "Callback Phishing"
48tactics_and_techniques:
49  - "Evasion"
50  - "Impersonation: Brand"
51  - "Out of band pivot"
52  - "Social engineering"
53detection_methods:
54  - "Content analysis"
55  - "Computer Vision"
56  - "Header analysis"
57  - "Sender analysis"
58  - "URL analysis"
59  
60id: "48aec918-d1bb-511e-8eba-8c34a663f28c"
to-top