Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links
Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.
Sublime rule (View on GitHub)
1name: "Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links"
2description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // link boundary
9 and length(filter(body.links, .href_url.domain.valid)) < 25
10
11 // there are no attachments, or only small, likely signature images
12 and (
13 length(attachments) == 0
14 or (
15 length(attachments) > 0
16 and all(attachments, .size < 8000 and .file_type in $file_types_images)
17 )
18 )
19
20 // Screenshot indicates a docusign logo or docusign name with cta to documents
21 and (
22 any(file.explode(beta.message_screenshot()),
23 (
24 strings.ilike(.scan.ocr.raw, "*DocuSign*")
25 or any(ml.logo_detect(beta.message_screenshot()).brands,
26 .name == "DocuSign"
27 )
28 )
29 and (
30 (
31 (
32 regex.icontains(.scan.ocr.raw,
33 "((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
34 "Your document has been completed",
35 "New Document Shared with you",
36 "Kindly click the link",
37 "important edocs",
38 // German (Document (check|check|sign|sent))
39 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
40 )
41 // German (important|urgent|immediate) but not in the Microsoft link
42 or (
43 (
44 any(body.links,
45 .display_text == "Erfahren Sie, warum dies wichtig ist"
46 and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
47 )
48 and regex.icount(.scan.ocr.raw, "(wichtig|dringend|sofort)") > 1
49 )
50 or (
51 not any(body.links,
52 .display_text == "Erfahren Sie, warum dies wichtig ist"
53 and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
54 )
55 and regex.icount(.scan.ocr.raw, "(wichtig|dringend|sofort)") > 0
56 )
57 )
58 )
59 and any(body.links,
60 not strings.ilike(.href_url.domain.root_domain, "docusign.*")
61 and (.display_text is null and .display_url.url is null)
62 )
63 )
64 or any(body.links,
65 not strings.ilike(.href_url.domain.root_domain, "docusign.*")
66 and regex.icontains(.display_text,
67 '(\bdocument|(view|get your) (docu|file))'
68 )
69 )
70 )
71 )
72 )
73
74 // links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT
75 and (
76 not profile.by_sender().solicited
77 or (
78 profile.by_sender().any_messages_malicious_or_spam
79 and not profile.by_sender().any_false_positives
80 )
81 )
82 // negate highly trusted sender domains unless they fail DMARC authentication
83 and (
84 (
85 sender.email.domain.root_domain in $high_trust_sender_root_domains
86 and not headers.auth_summary.dmarc.pass
87 )
88 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
89 )
90
91 // negate legit replies
92 and not (
93 length(headers.references) > 0
94 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
95 )
96 and not profile.by_sender().any_false_positives
97
98 // negate docusign X-Return-Path
99 and not any(headers.hops,
100 .index == 0
101 and any(.fields,
102 .name == "X-Return-Path"
103 and strings.ends_with(.value, "docusign.net")
104 )
105 )
106
107 // negate "via" senders via dmarc authentication
108 and (
109 not coalesce(headers.auth_summary.dmarc.pass
110 and strings.contains(sender.display_name, "via")
111 and sender.email.domain.domain in $org_domains,
112 false
113 )
114 )
115
116attack_types:
117 - "Credential Phishing"
118tactics_and_techniques:
119 - "Impersonation: Brand"
120 - "Social engineering"
121detection_methods:
122 - "Computer Vision"
123 - "Content analysis"
124 - "Header analysis"
125 - "Natural Language Understanding"
126 - "Optical Character Recognition"
127 - "Sender analysis"
128id: "dfe8715e-6318-579b-9131-ddfc9854dc95"