Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains

calendar Jun 3, 2025  ·
Share on: linkedin copy

Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains"
  2description: "Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(attachments) == 0
  8  and (
  9    0 < length(body.links) < 10
 10    // ignore link count when the HTML is padded with whitespace
 11    // indicative of thread hijacking/copy-pasting
 12    or regex.icount(body.html.raw, '(<br\s*/?>[\s\n]*)') > 50
 13  )
 14  and (
 15    regex.icontains(body.html.raw, '<font size="[0-9]">DocuSign</font>')
 16    or regex.icontains(body.html.raw, '<span[^>]*style="[^"]*">DocuSign<\/span>')
 17    or regex.icontains(body.html.raw, '<strong>DocuSign</strong>')
 18    or regex.icontains(body.html.raw,
 19                       'D&#917540;&#917540;o&#917540;&#917540;c︀uS&#917540;&#917540;i︀gn'
 20    )
 21    or any(body.links, regex.icontains(.display_text, 'view.{0,3}doc'))
 22    or any(body.links, regex.contains(.display_text, '\bDOCUMENT'))
 23  )
 24  and (
 25    regex.icontains(body.html.raw, 'background:\s*rgb\(30,\s*76,\s*161\)')
 26    or regex.icontains(body.html.raw,
 27                       'background-color:\s*rgb\(30,\s*76,\s*161\)'
 28    )
 29    or regex.icontains(body.html.raw,
 30                       'background-color:\s*rgb\(61,\s*170,\s*73\)'
 31    )
 32    or regex.icontains(body.html.raw,
 33                       '<div[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>|<td[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>'
 34    )
 35    or regex.icontains(body.html.raw, 'background-color:#214e9f;')
 36    or regex.icontains(body.html.raw, 'background-color:#3260a7')
 37    or regex.icontains(body.html.raw,
 38                       '<table[^>]*cellspacing="0"[^>]*cellpadding="0"[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*<td[^>]*style="BACKGROUND:\s*rgb\(247,247,247\);\s*width:\s*[0-9]{2,3}px;\s*padding:20px;\s*margin:\s*[0-9]{2,3}px"[^>]*>.*<div[^>]*style="BACKGROUND:\s*rgb\(30,76,161\);\s*padding:[0-9]{2,3}px;\s*color:#EFEFEF"[^>]*align="center"[^>]*>.*DOCUMENT.*</a>'
 39    )
 40    // Docusign Blue Box template with button
 41    or (
 42      regex.icontains(body.html.raw,
 43                      '<(td|div)[^>]*style="[^"]*background(-color)?:\s*(#1e4ca1|rgb\(30,\s*76,\s*161\))[^"]*"[^>]*>'
 44      )
 45      and (
 46        regex.icontains(body.html.raw,
 47                        '<a[^>]*style="[^"]*background-color:\s*(#[A-Fa-f0-9]{6}|rgb\([^)]*\))[^"]*"[^>]*>.*?<span[^>]*>.*?<\/span>.*?<\/a>'
 48        )
 49        // white link with a border
 50        or (
 51          regex.icontains(body.html.raw,
 52                          '<a[^>]*style="[^"]*color:\s*(white|#fff|#ffffff|#FFF|#FFFFFF|rgb\(\s*255\s*,\s*255\s*,\s*255\s*\)|rgba\(\s*255\s*,\s*255\s*,\s*255\s*,\s*[0-9.]+\s*\)|rgb\(\s*100%\s*,\s*100%\s*,\s*100%\s*\))[^"]*"[^>]*>.*?<\/a>'
 53          )
 54          and regex.icontains(body.html.raw,
 55                              '<a[^>]*style="[^"]*border:[^"]*"[^>]*>.*?<\/a>'
 56          )
 57        )
 58      )
 59    )
 60  )
 61  and any(body.links,
 62          not strings.ilike(.href_url.domain.root_domain, "docusign.*")
 63          and (
 64            .display_text is null or regex.contains(.display_text, '\bDOCUMENT')
 65          )
 66  )
 67  // negate highly trusted sender domains unless they fail DMARC authentication
 68  and (
 69    (
 70      sender.email.domain.root_domain in $high_trust_sender_root_domains
 71      and (
 72        any(distinct(headers.hops, .authentication_results.dmarc is not null),
 73            strings.ilike(.authentication_results.dmarc, "*fail")
 74        )
 75      )
 76    )
 77    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 78  )
 79  
 80  // negate legit replies
 81  and not (
 82    length(headers.references) > 0
 83    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 84  )
 85  and not profile.by_sender().any_false_positives
 86  
 87  // negate docusign X-Return-Path
 88  and not any(headers.hops,
 89              .index == 0
 90              and any(.fields,
 91                      .name == "X-Return-Path"
 92                      and strings.ends_with(.value, "docusign.net")
 93              )
 94  )  
 95
 96attack_types:
 97  - "Credential Phishing"
 98tactics_and_techniques:
 99  - "Impersonation: Brand"
100  - "Social engineering"
101detection_methods:
102  - "Content analysis"
103  - "HTML analysis"
104  - "Header analysis"
105  - "Sender analysis"
106  - "URL analysis"
107
108id: "28923dde-09fc-5b49-8263-ed2ab41b5c08"
to-top