Callback Phishing via DocuSign comment

calendar May 2, 2024  ·
Share on: linkedin copy

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Sublime rule (View on GitHub)

 1name: "Callback Phishing via DocuSign comment"
 2description: |
 3    This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number. 
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(attachments) == 0
 9  
10  // Legitimate Docusign sending infratructure
11  and (
12    sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
13    // check for SPF or DMARC passed
14    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
15  )
16  
17  // Docusign Logo 
18  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign")
19  
20  // Callback Phishing
21  and strings.ilike(body.current_thread.text,
22                    "*mcafee*",
23                    "*norton*",
24                    "*geek?squad*",
25                    "*paypal*",
26                    "*ebay*",
27                    "*symantec*",
28                    "*best buy*",
29                    "*lifelock*"
30  )
31  
32  and 3 of (
33    strings.ilike(body.current_thread.text, '*purchase*'),
34    strings.ilike(body.current_thread.text, '*payment*'),
35    strings.ilike(body.current_thread.text, '*transaction*'),
36    strings.ilike(body.current_thread.text, '*subscription*'),
37    strings.ilike(body.current_thread.text, '*antivirus*'),
38    strings.ilike(body.current_thread.text, '*order*'),
39    strings.ilike(body.current_thread.text, '*support*'),
40    strings.ilike(body.current_thread.text, '*help line*'),
41    strings.ilike(body.current_thread.text, '*receipt*'),
42    strings.ilike(body.current_thread.text, '*invoice*'),
43    strings.ilike(body.current_thread.text, '*call*'),
44    strings.ilike(body.current_thread.text, '*cancel*'),
45    strings.ilike(body.current_thread.text, '*renew*'),
46    strings.ilike(body.current_thread.text, '*refund*')
47  )
48  // phone number regex
49  and any([body.current_thread.text, subject.subject], regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
50  )  
51
52attack_types:
53  - "Callback Phishing"
54tactics_and_techniques:
55  - "Evasion"
56  - "Impersonation: Brand"
57  - "Out of band pivot"
58  - "Social engineering"
59detection_methods:
60  - "Content analysis"
61  - "Computer Vision"
62  - "Header analysis"
63  - "Sender analysis"
64  - "URL analysis"
65  
66id: "48aec918-d1bb-511e-8eba-8c34a663f28c"
to-top