Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links
Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.
Sublime rule (View on GitHub)
1name: "Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links"
2description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // link boundary
9 and length(filter(body.links, .href_url.domain.valid)) < 25
10
11 // there are no attachments, or only small, likely signature images
12 and (
13 length(attachments) == 0
14 or (
15 length(attachments) > 0
16 and all(attachments, .size < 8000 and .file_type in $file_types_images)
17 )
18 )
19
20 // Screenshot indicates a docusign logo or docusign name with cta to documents
21 and (
22 any(file.explode(beta.message_screenshot()),
23 (
24 strings.ilike(.scan.ocr.raw, "*DocuSign*")
25 or any(ml.logo_detect(beta.message_screenshot()).brands,
26 .name == "DocuSign"
27 )
28 )
29 and (
30 (
31 regex.icontains(.scan.ocr.raw,
32 "((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
33 "Your document has been completed",
34 "New Document Shared with you",
35 "Kindly click the link",
36 "important edocs",
37 // German (Document (check|check|sign|sent))
38 "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
39 // German (important|urgent|immediate)
40 "(wichtig|dringend|sofort)"
41 )
42 and any(body.links,
43 not strings.ilike(.href_url.domain.root_domain, "docusign.*")
44 and (.display_text is null and .display_url.url is null)
45 )
46 )
47 or any(body.links,
48 not strings.ilike(.href_url.domain.root_domain, "docusign.*")
49 and regex.icontains(.display_text,
50 '(\bdocument|(view|get your) (docu|file))'
51 )
52 )
53 )
54 )
55 )
56
57 // links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT
58 and (
59 not profile.by_sender().solicited
60 or (
61 profile.by_sender().any_messages_malicious_or_spam
62 and not profile.by_sender().any_false_positives
63 )
64 )
65 // negate highly trusted sender domains unless they fail DMARC authentication
66 and (
67 (
68 sender.email.domain.root_domain in $high_trust_sender_root_domains
69 and not headers.auth_summary.dmarc.pass
70 )
71 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
72 )
73
74 // negate legit replies
75 and not (
76 length(headers.references) > 0
77 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
78 )
79 and not profile.by_sender().any_false_positives
80
81 // negate docusign X-Return-Path
82 and not any(headers.hops,
83 .index == 0
84 and any(.fields,
85 .name == "X-Return-Path"
86 and strings.ends_with(.value, "docusign.net")
87 )
88 )
89
90 // negate "via" senders via dmarc authentication
91 and (
92 not coalesce(headers.auth_summary.dmarc.pass
93 and strings.contains(sender.display_name, "via")
94 and sender.email.domain.domain in $org_domains,
95 false
96 )
97 )
98
99attack_types:
100 - "Credential Phishing"
101tactics_and_techniques:
102 - "Impersonation: Brand"
103 - "Social engineering"
104detection_methods:
105 - "Computer Vision"
106 - "Content analysis"
107 - "Header analysis"
108 - "Natural Language Understanding"
109 - "Optical Character Recognition"
110 - "Sender analysis"
111id: "dfe8715e-6318-579b-9131-ddfc9854dc95"