Callback Phishing via DocuSign comment
This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Sublime rule (View on GitHub)
1name: "Callback Phishing via DocuSign comment"
2description: |
3 This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(attachments) == 0
9
10 // Legitimate Docusign sending infratructure
11 and (
12 sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
13 // check for SPF or DMARC passed
14 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
15 )
16
17 // Docusign Logo
18 and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign")
19
20 // Callback Phishing
21 and strings.ilike(body.current_thread.text,
22 "*mcafee*",
23 "*norton*",
24 "*geek?squad*",
25 "*paypal*",
26 "*ebay*",
27 "*symantec*",
28 "*best buy*",
29 "*lifelock*"
30 )
31
32 and 3 of (
33 strings.ilike(body.current_thread.text, '*purchase*'),
34 strings.ilike(body.current_thread.text, '*payment*'),
35 strings.ilike(body.current_thread.text, '*transaction*'),
36 strings.ilike(body.current_thread.text, '*subscription*'),
37 strings.ilike(body.current_thread.text, '*antivirus*'),
38 strings.ilike(body.current_thread.text, '*order*'),
39 strings.ilike(body.current_thread.text, '*support*'),
40 strings.ilike(body.current_thread.text, '*help line*'),
41 strings.ilike(body.current_thread.text, '*receipt*'),
42 strings.ilike(body.current_thread.text, '*invoice*'),
43 strings.ilike(body.current_thread.text, '*call*'),
44 strings.ilike(body.current_thread.text, '*cancel*'),
45 strings.ilike(body.current_thread.text, '*renew*'),
46 strings.ilike(body.current_thread.text, '*refund*')
47 )
48 // phone number regex
49 and any([body.current_thread.text, subject.subject], regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
50 )
51
52attack_types:
53 - "Callback Phishing"
54tactics_and_techniques:
55 - "Evasion"
56 - "Impersonation: Brand"
57 - "Out of band pivot"
58 - "Social engineering"
59detection_methods:
60 - "Content analysis"
61 - "Computer Vision"
62 - "Header analysis"
63 - "Sender analysis"
64 - "URL analysis"
65
66id: "48aec918-d1bb-511e-8eba-8c34a663f28c"