Credential phishing: DocuSign embedded image lure with no DocuSign domains in links

calendar Oct 17, 2025  ·
Share on: linkedin copy

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing: DocuSign embedded image lure with no DocuSign domains in links"
  2description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  
  8  // link boundary
  9  and length(filter(body.links, .href_url.domain.valid)) < 25
 10  
 11  // there are no attachments, or only small, likely signature images
 12  and (
 13    length(attachments) == 0
 14    or (
 15      length(attachments) > 0
 16      and all(attachments, .size < 8000 and .file_type in $file_types_images)
 17    )
 18  )
 19  
 20  // Screenshot indicates a docusign logo or docusign name with cta to documents
 21  and (
 22    (
 23      //
 24      // This rule makes use of a beta feature and is subject to change without notice
 25      // using the beta feature in custom rules is not suggested until it has been formally released
 26      //
 27      strings.ilike(beta.ocr(file.message_screenshot()).text, "*DocuSign*")
 28      or any(ml.logo_detect(file.message_screenshot()).brands,
 29             .name == "DocuSign"
 30      )
 31    )
 32    and (
 33      (
 34        (
 35          //
 36          // This rule makes use of a beta feature and is subject to change without notice
 37          // using the beta feature in custom rules is not suggested until it has been formally released
 38          //
 39          regex.icontains(beta.ocr(file.message_screenshot()).text,
 40                          "((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
 41                          "Your document has been completed",
 42                          "New Document Shared with you",
 43                          "Kindly click the link",
 44                          "important edocs",
 45                          // German (Document (check|check|sign|sent))
 46                          "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
 47          )
 48          // German (important|urgent|immediate) but not in the Microsoft link
 49          or (
 50            (
 51              any(body.links,
 52                  .display_text == "Erfahren Sie, warum dies wichtig ist"
 53                  and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
 54              )
 55              and regex.icount(beta.ocr(file.message_screenshot()).text, "(wichtig|dringend|sofort)") > 1
 56            )
 57            or (
 58              not any(body.links,
 59                      .display_text == "Erfahren Sie, warum dies wichtig ist"
 60                      and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
 61              )
 62              and regex.icount(beta.ocr(file.message_screenshot()).text, "(wichtig|dringend|sofort)") > 0
 63            )
 64          )
 65        )
 66        and any(body.links,
 67                not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 68                and (.display_text is null and .display_url.url is null)
 69        )
 70      )
 71      or any(body.links,
 72             not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 73             and regex.icontains(.display_text,
 74                                 '(\bdocument|(view|get your) (docu|file))'
 75             )
 76      )
 77    )
 78  )
 79  
 80  
 81  // links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT 
 82  and (
 83    not profile.by_sender().solicited
 84    or (
 85      profile.by_sender().any_messages_malicious_or_spam
 86      and not profile.by_sender().any_messages_benign
 87    )
 88  )
 89  // negate highly trusted sender domains unless they fail DMARC authentication
 90  and (
 91    (
 92      sender.email.domain.root_domain in $high_trust_sender_root_domains
 93      and not headers.auth_summary.dmarc.pass
 94    )
 95    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 96  )
 97  
 98  // negate legit replies
 99  and not (
100    length(headers.references) > 0
101    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
102  )
103  and not profile.by_sender().any_messages_benign
104  
105  // negate docusign X-Return-Path
106  and not any(headers.hops,
107              .index == 0
108              and any(.fields,
109                      .name == "X-Return-Path"
110                      and strings.ends_with(.value, "docusign.net")
111              )
112  )
113  
114  // negate "via" senders via dmarc authentication
115  and (
116    not coalesce(headers.auth_summary.dmarc.pass
117                 and strings.contains(sender.display_name, "via")
118                 and sender.email.domain.domain in $org_domains,
119                 false
120    )
121  )  
122attack_types:
123  - "Credential Phishing"
124tactics_and_techniques:
125  - "Impersonation: Brand"
126  - "Social engineering"
127detection_methods:
128  - "Computer Vision"
129  - "Content analysis"
130  - "Header analysis"
131  - "Natural Language Understanding"
132  - "Optical Character Recognition"
133  - "Sender analysis"
134id: "dfe8715e-6318-579b-9131-ddfc9854dc95"
to-top