Callback Phishing via DocuSign comment

calendar May 13, 2024  ·
Share on: linkedin copy

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Sublime rule (View on GitHub)

 1name: "Callback Phishing via DocuSign comment"
 2description: |
 3    This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number. 
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(attachments) == 0
 9  
10  // Legitimate Docusign sending infratructure
11  and (
12    sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
13    // check for SPF or DMARC passed
14    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
15  )
16  
17  // Docusign Logo 
18  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign")
19  
20  // Callback Phishing
21  and regex.icontains(body.current_thread.text,
22                      (
23                        "mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
24                      )
25  )
26  and 3 of (
27    strings.ilike(body.current_thread.text, '*purchase*'),
28    strings.ilike(body.current_thread.text, '*payment*'),
29    strings.ilike(body.current_thread.text, '*transaction*'),
30    strings.ilike(body.current_thread.text, '*subscription*'),
31    strings.ilike(body.current_thread.text, '*antivirus*'),
32    strings.ilike(body.current_thread.text, '*order*'),
33    strings.ilike(body.current_thread.text, '*support*'),
34    strings.ilike(body.current_thread.text, '*help line*'),
35    strings.ilike(body.current_thread.text, '*receipt*'),
36    strings.ilike(body.current_thread.text, '*invoice*'),
37    strings.ilike(body.current_thread.text, '*call*'),
38    strings.ilike(body.current_thread.text, '*cancel*'),
39    strings.ilike(body.current_thread.text, '*renew*'),
40    strings.ilike(body.current_thread.text, '*refund*')
41  )
42  // phone number regex
43  and any([body.current_thread.text, subject.subject],
44          regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
45  )  
46
47attack_types:
48  - "Callback Phishing"
49tactics_and_techniques:
50  - "Evasion"
51  - "Impersonation: Brand"
52  - "Out of band pivot"
53  - "Social engineering"
54detection_methods:
55  - "Content analysis"
56  - "Computer Vision"
57  - "Header analysis"
58  - "Sender analysis"
59  - "URL analysis"
60  
61id: "48aec918-d1bb-511e-8eba-8c34a663f28c"
to-top