Credential phishing: DocuSign embedded image lure with no DocuSign domains in links

calendar Nov 18, 2025  ·
Share on: linkedin copy

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.

Sublime rule (View on GitHub)

  1name: "Credential phishing: DocuSign embedded image lure with no DocuSign domains in links"
  2description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  // link boundary
  8  and length(filter(body.links, .href_url.domain.valid)) < 25
  9
 10  // there are no attachments, or only small, likely signature images
 11  and (
 12    length(attachments) == 0
 13    or (
 14      length(attachments) > 0
 15      and all(attachments, .size < 8000 and .file_type in $file_types_images)
 16    )
 17  )
 18
 19  // Screenshot indicates a docusign logo or docusign name with cta to documents
 20  and (
 21    (
 22      //
 23      // This rule makes use of a beta feature and is subject to change without notice
 24      // using the beta feature in custom rules is not suggested until it has been formally released
 25      //
 26      strings.ilike(beta.ocr(file.message_screenshot()).text, "*DocuSign*")
 27      or any(ml.logo_detect(file.message_screenshot()).brands,
 28            .name == "DocuSign"
 29      )
 30    )
 31    and (
 32      (
 33        (
 34          //
 35          // This rule makes use of a beta feature and is subject to change without notice
 36          // using the beta feature in custom rules is not suggested until it has been formally released
 37          //
 38          regex.icontains(beta.ocr(file.message_screenshot()).text,
 39                          "((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
 40                          "Your document has been completed",
 41                          "New Document Shared with you",
 42                          "Kindly click the link",
 43                          "important edocs",
 44                          // German (Document (check|check|sign|sent))
 45                          "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
 46          )
 47          // German (important|urgent|immediate) but not in the Microsoft link
 48          or (
 49            (
 50              any(body.links,
 51                  .display_text == "Erfahren Sie, warum dies wichtig ist"
 52                  and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
 53              )
 54              and regex.icount(beta.ocr(file.message_screenshot()).text,
 55                              "(wichtig|dringend|sofort)"
 56              ) > 1
 57            )
 58            or (
 59              not any(body.links,
 60                      .display_text == "Erfahren Sie, warum dies wichtig ist"
 61                      and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
 62              )
 63              and regex.icount(beta.ocr(file.message_screenshot()).text,
 64                              "(wichtig|dringend|sofort)"
 65              ) > 0
 66            )
 67          )
 68        )
 69        and any(body.links,
 70                not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 71                and (.display_text is null and .display_url.url is null)
 72        )
 73      )
 74      or any(body.links,
 75            not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 76            and (
 77              regex.icontains(strings.replace_confusables(.display_text),
 78                              '(\bdocument|(view|get your) (docu|file))'
 79              )
 80              or strings.icontains(.display_text,
 81                                    "R\u{200F}E\u{200F}V\u{200F}I\u{200F}E\u{200F}W\u{200F} \u{200F}D\u{200F}O\u{200F}C\u{200F}U\u{200F}M\u{200F}E\u{200F}N\u{200F}T\u{200F}"
 82              )
 83            )
 84      )
 85    )
 86  )
 87
 88  // links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT 
 89  and (
 90    not profile.by_sender().solicited
 91    or (
 92      profile.by_sender().any_messages_malicious_or_spam
 93      and not profile.by_sender().any_messages_benign
 94    )
 95  )
 96  // negate highly trusted sender domains unless they fail DMARC authentication
 97  and (
 98    (
 99      sender.email.domain.root_domain in $high_trust_sender_root_domains
100      and not headers.auth_summary.dmarc.pass
101    )
102    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
103  )
104
105  // negate legit replies
106  and not (
107    length(headers.references) > 0
108    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
109  )
110  and not profile.by_sender().any_messages_benign
111
112  // negate docusign X-Return-Path
113  and not any(headers.hops,
114              .index == 0
115              and any(.fields,
116                      .name == "X-Return-Path"
117                      and strings.ends_with(.value, "docusign.net")
118              )
119  )
120
121  // negate "via" senders via dmarc authentication
122  and (
123    not coalesce(headers.auth_summary.dmarc.pass
124                and strings.contains(sender.display_name, "via")
125                and sender.email.domain.domain in $org_domains,
126                false
127    )
128  )  
129attack_types:
130  - "Credential Phishing"
131tactics_and_techniques:
132  - "Impersonation: Brand"
133  - "Social engineering"
134detection_methods:
135  - "Computer Vision"
136  - "Content analysis"
137  - "Header analysis"
138  - "Natural Language Understanding"
139  - "Optical Character Recognition"
140  - "Sender analysis"
141id: "dfe8715e-6318-579b-9131-ddfc9854dc95"
to-top