Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links"
 2description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) <= 1
 8  and any(body.links,
 9          not strings.ilike(.href_url.domain.root_domain, "docusign.*")
10  )
11  and (
12    any(ml.logo_detect(beta.message_screenshot()).brands,
13        .name == "DocuSign"
14        or any(file.explode(beta.message_screenshot()),
15               strings.ilike(.scan.ocr.raw, "*DocuSign*")
16               and any(ml.nlu_classifier(.scan.ocr.raw).intents,
17                       .name == "cred_theft" and .confidence != "low"
18               )
19        )
20    )
21  )
22  and any(file.explode(beta.message_screenshot()),
23          regex.icontains(.scan.ocr.raw,
24                          "review document",
25                          "[^d][^o][^c][^u]sign",
26                          "important edocs",
27                          "completed document",
28                          // German (Document (check|check|sign|sent))
29                          "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
30                          // German (important|urgent|immediate)
31                          "(wichtig|dringend|sofort)"
32          )
33  )
34  and (
35    not profile.by_sender().solicited
36    or (
37      profile.by_sender().any_messages_malicious_or_spam
38      and not profile.by_sender().any_false_positives
39    )
40  )
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and
43  (
44    (
45      sender.email.domain.root_domain in $high_trust_sender_root_domains
46      and (
47        any(distinct(headers.hops, .authentication_results.dmarc is not null),
48            strings.ilike(.authentication_results.dmarc, "*fail")
49        )
50      )
51    )
52    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
53  )
54  
55  // negate legit replies
56  and not (
57    length(headers.references) > 0
58    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
59  )
60  and not profile.by_sender().any_false_positives
61
62  // negate docusign X-Return-Path
63  and not any(headers.hops,
64              .index == 0
65              and any(.fields,
66                      .name == "X-Return-Path"
67                      and strings.ends_with(.value, "docusign.net")
68              )
69  )
70
71  // negate "via" senders via dmarc authentication
72  and (
73    not (
74      any(distinct(headers.hops, .authentication_results.dmarc is not null),
75          strings.ilike(.authentication_results.dmarc, "pass")
76          and strings.contains(sender.display_name, "via")
77          and sender.email.domain.domain in $org_domains
78      )
79    )
80  )  
81
82attack_types:
83  - "Credential Phishing"
84tactics_and_techniques:
85  - "Impersonation: Brand"
86  - "Social engineering"
87detection_methods:
88  - "Computer Vision"
89  - "Content analysis"
90  - "Header analysis"
91  - "Natural Language Understanding"
92  - "Optical Character Recognition"
93  - "Sender analysis"
94id: "dfe8715e-6318-579b-9131-ddfc9854dc95"
to-top