Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains

calendar May 7, 2024  ·
Share on: linkedin copy

Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains"
 2description: "Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and 0 < length(body.links) < 10
 9  and (
10    regex.icontains(body.html.raw, '<font size="[0-9]">DocuSign</font>')
11    or regex.icontains(body.html.raw, '<span[^>]*style="[^"]*">DocuSign<\/span>')
12    or regex.icontains(body.html.raw, '<strong>DocuSign</strong>')
13    or regex.icontains(body.html.raw, 'D&#917540;&#917540;o&#917540;&#917540;c︀uS&#917540;&#917540;i︀gn')
14    or any(body.links, regex.icontains(.display_text, 'view.{0,3}doc'))
15    or any(body.links, regex.contains(.display_text, '\bDOCUMENT'))
16  )
17  and (
18    regex.icontains(body.html.raw, 'background:\s*rgb\(30,\s*76,\s*161\)')
19    or regex.icontains(body.html.raw,
20                       'background-color:\s*rgb\(30,\s*76,\s*161\)'
21    )
22    or regex.icontains(body.html.raw,
23                       'background-color:\s*rgb\(61,\s*170,\s*73\)'
24    )
25    or regex.icontains(body.html.raw,
26                       '<div[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>|<td[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>'
27    )
28    or regex.icontains(body.html.raw, 'background-color:#214e9f;')
29    or regex.icontains(body.html.raw, 'background-color:#3260a7')
30    or regex.icontains(body.html.raw,
31                       '<table[^>]*cellspacing="0"[^>]*cellpadding="0"[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*<td[^>]*style="BACKGROUND:\s*rgb\(247,247,247\);\s*width:\s*[0-9]{2,3}px;\s*padding:20px;\s*margin:\s*[0-9]{2,3}px"[^>]*>.*<div[^>]*style="BACKGROUND:\s*rgb\(30,76,161\);\s*padding:[0-9]{2,3}px;\s*color:#EFEFEF"[^>]*align="center"[^>]*>.*DOCUMENT.*</a>'
32    )
33  )
34  and any(body.links,
35          not strings.ilike(.href_url.domain.root_domain, "docusign.*")
36          and (
37            .display_text is null or regex.contains(.display_text, '\bDOCUMENT')
38          )
39  )
40  // negate highly trusted sender domains unless they fail DMARC authentication
41  and (
42    (
43      sender.email.domain.root_domain in $high_trust_sender_root_domains
44      and (
45        any(distinct(headers.hops, .authentication_results.dmarc is not null),
46            strings.ilike(.authentication_results.dmarc, "*fail")
47        )
48      )
49    )
50    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
51  )
52  
53  // negate legit replies
54  and not (
55    length(headers.references) > 0
56    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
57  )
58  and not profile.by_sender().any_false_positives
59  
60  // negate docusign X-Return-Path
61  and not any(headers.hops,
62              .index == 0
63              and any(.fields,
64                      .name == "X-Return-Path"
65                      and strings.ends_with(.value, "docusign.net")
66              )
67  )  
68
69attack_types:
70  - "Credential Phishing"
71tactics_and_techniques:
72  - "Impersonation: Brand"
73  - "Social engineering"
74detection_methods:
75  - "Content analysis"
76  - "HTML analysis"
77  - "Header analysis"
78  - "Sender analysis"
79  - "URL analysis"
80
81id: "28923dde-09fc-5b49-8263-ed2ab41b5c08"
to-top