Callback Phishing via DocuSign comment

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Sublime rule (View on GitHub)

 1name: "Callback Phishing via DocuSign comment"
 2description: |
 3    This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number. 
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(attachments) == 0
 9  
10  // Legitimate Docusign sending infratructure
11  and (
12      sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
13    // check for DMARC fail for spoofs
14      and any(distinct(headers.hops, .authentication_results.dmarc is not null),
15              strings.ilike(.authentication_results.dmarc, "pass")
16      )
17    )
18  
19  // Docusign Logo 
20  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign")
21  
22  // Callback Phishing
23  and strings.ilike(body.current_thread.text,
24                    "*mcafee*",
25                    "*norton*",
26                    "*geek squad*",
27                    "*paypal*",
28                    "*ebay*",
29                    "*symantec*",
30                    "*best buy*",
31                    "*lifelock*"
32  )
33  
34  and 3 of (
35    strings.ilike(body.current_thread.text, '*purchase*'),
36    strings.ilike(body.current_thread.text, '*payment*'),
37    strings.ilike(body.current_thread.text, '*transaction*'),
38    strings.ilike(body.current_thread.text, '*subscription*'),
39    strings.ilike(body.current_thread.text, '*antivirus*'),
40    strings.ilike(body.current_thread.text, '*order*'),
41    strings.ilike(body.current_thread.text, '*support*'),
42    strings.ilike(body.current_thread.text, '*help line*'),
43    strings.ilike(body.current_thread.text, '*receipt*'),
44    strings.ilike(body.current_thread.text, '*invoice*'),
45    strings.ilike(body.current_thread.text, '*call*'),
46    strings.ilike(body.current_thread.text, '*cancel*'),
47    strings.ilike(body.current_thread.text, '*renew*'),
48    strings.ilike(body.current_thread.text, '*refund*')
49  )
50  // phone number regex
51  and any([body.current_thread.text, subject.subject], regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
52  )  
53
54attack_types:
55  - "Callback Phishing"
56tactics_and_techniques:
57  - "Evasion"
58  - "Impersonation: Brand"
59  - "Out of band pivot"
60  - "Social engineering"
61detection_methods:
62  - "Content analysis"
63  - "Computer Vision"
64  - "Header analysis"
65  - "Sender analysis"
66  - "URL analysis"
67  
68id: "48aec918-d1bb-511e-8eba-8c34a663f28c"
to-top