Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains

 1name: "Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains"
 2description: "Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and 0 < length(body.links) < 10
 9  and (
10    regex.icontains(body.html.raw, '<font size="[0-9]">DocuSign</font>')
11    or regex.icontains(body.html.raw, '<span[^>]*style="[^"]*">DocuSign<\/span>')
12    or regex.icontains(body.html.raw, '<strong>DocuSign</strong>')
13    or regex.icontains(body.html.raw,
14                       'D&#917540;&#917540;o&#917540;&#917540;c︀uS&#917540;&#917540;i︀gn'
15    )
16    or any(body.links, regex.icontains(.display_text, 'view.{0,3}doc'))
17    or any(body.links, regex.contains(.display_text, '\bDOCUMENT'))
18  )
19  and (
20    regex.icontains(body.html.raw, 'background:\s*rgb\(30,\s*76,\s*161\)')
21    or regex.icontains(body.html.raw,
22                       'background-color:\s*rgb\(30,\s*76,\s*161\)'
23    )
24    or regex.icontains(body.html.raw,
25                       'background-color:\s*rgb\(61,\s*170,\s*73\)'
26    )
27    or regex.icontains(body.html.raw,
28                       '<div[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>|<td[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>'
29    )
30    or regex.icontains(body.html.raw, 'background-color:#214e9f;')
31    or regex.icontains(body.html.raw, 'background-color:#3260a7')
32    or regex.icontains(body.html.raw,
33                       '<table[^>]*cellspacing="0"[^>]*cellpadding="0"[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*<td[^>]*style="BACKGROUND:\s*rgb\(247,247,247\);\s*width:\s*[0-9]{2,3}px;\s*padding:20px;\s*margin:\s*[0-9]{2,3}px"[^>]*>.*<div[^>]*style="BACKGROUND:\s*rgb\(30,76,161\);\s*padding:[0-9]{2,3}px;\s*color:#EFEFEF"[^>]*align="center"[^>]*>.*DOCUMENT.*</a>'
34    )
35    // Docusign Blue Box template with button
36    or (
37      regex.icontains(body.html.raw,
38                      '<td[^>]*style="[^"]*background-color:\s*(#1e4ca1|rgb\(30,\s*76,\s*161\))[^"]*"[^>]*>'
39      )
40      and regex.icontains(body.html.raw,
41                          '<a[^>]*style="[^"]*background-color:\s*(#[A-Fa-f0-9]{6}|rgb\([^)]*\))[^"]*"[^>]*>.*?<span[^>]*>.*?<\/span>.*?<\/a>'
42      )
43    )
44  )
45  and any(body.links,
46          not strings.ilike(.href_url.domain.root_domain, "docusign.*")
47          and (
48            .display_text is null or regex.contains(.display_text, '\bDOCUMENT')
49          )
50  )
51  // negate highly trusted sender domains unless they fail DMARC authentication
52  and (
53    (
54      sender.email.domain.root_domain in $high_trust_sender_root_domains
55      and (
56        any(distinct(headers.hops, .authentication_results.dmarc is not null),
57            strings.ilike(.authentication_results.dmarc, "*fail")
58        )
59      )
60    )
61    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62  )
63  
64  // negate legit replies
65  and not (
66    length(headers.references) > 0
67    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
68  )
69  and not profile.by_sender().any_false_positives
70  
71  // negate docusign X-Return-Path
72  and not any(headers.hops,
73              .index == 0
74              and any(.fields,
75                      .name == "X-Return-Path"
76                      and strings.ends_with(.value, "docusign.net")
77              )
78  )  
79
80attack_types:
81  - "Credential Phishing"
82tactics_and_techniques:
83  - "Impersonation: Brand"
84  - "Social engineering"
85detection_methods:
86  - "Content analysis"
87  - "HTML analysis"
88  - "Header analysis"
89  - "Sender analysis"
90  - "URL analysis"
91
92id: "28923dde-09fc-5b49-8263-ed2ab41b5c08"