Callback Phishing via DocuSign comment

calendar Jan 2, 2025  ·
Share on: linkedin copy

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Sublime rule (View on GitHub)

 1name: "Callback Phishing via DocuSign comment"
 2description: |
 3    This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number. 
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(attachments) == 0
 9  
10  // Legitimate Docusign sending infratructure
11  and sender.email.domain.root_domain == 'docusign.net'
12  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
13  
14  // Docusign Logo 
15  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign")
16  
17  // Callback Phishing
18  and regex.icontains(body.current_thread.text,
19                      (
20                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
21                      )
22  )
23  and 3 of (
24    strings.ilike(body.current_thread.text, '*purchase*'),
25    strings.ilike(body.current_thread.text, '*payment*'),
26    strings.ilike(body.current_thread.text, '*transaction*'),
27    strings.ilike(body.current_thread.text, '*subscription*'),
28    strings.ilike(body.current_thread.text, '*antivirus*'),
29    strings.ilike(body.current_thread.text, '*order*'),
30    strings.ilike(body.current_thread.text, '*support*'),
31    strings.ilike(body.current_thread.text, '*help line*'),
32    strings.ilike(body.current_thread.text, '*receipt*'),
33    strings.ilike(body.current_thread.text, '*invoice*'),
34    strings.ilike(body.current_thread.text, '*call*'),
35    strings.ilike(body.current_thread.text, '*cancel*'),
36    strings.ilike(body.current_thread.text, '*renew*'),
37    strings.ilike(body.current_thread.text, '*refund*')
38  )
39  // phone number regex
40  and any([body.current_thread.text, subject.subject],
41          regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b')
42  )  
43
44attack_types:
45  - "Callback Phishing"
46tactics_and_techniques:
47  - "Evasion"
48  - "Impersonation: Brand"
49  - "Out of band pivot"
50  - "Social engineering"
51detection_methods:
52  - "Content analysis"
53  - "Computer Vision"
54  - "Header analysis"
55  - "Sender analysis"
56  - "URL analysis"
57  
58id: "48aec918-d1bb-511e-8eba-8c34a663f28c"
to-top