Credential Phishing: Suspicious E-sign Agreement Document Notification
Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.
Sublime rule (View on GitHub)
1name: "Credential Phishing: Suspicious E-sign Agreement Document Notification"
2description: "Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any([subject.subject, sender.display_name],
8 regex.icontains(strings.replace_confusables(.),
9 "DocuLink",
10 "Access.&.Approved",
11 "Attend.and.Review",
12 "Completed.File",
13 "Dochsared",
14 "Docshared",
15 "DocsPoint",
16 "Document.Shared",
17 "DocuCentre",
18 "DocuCenter",
19 "DocCenter",
20 "DocsOnline",
21 "DocSend",
22 "\\beSign",
23 "e\\.sign",
24 "e-doc",
25 "e-signature",
26 "eSignature",
27 "eSign&Return",
28 "eSignOnline",
29 "Fileshare",
30 "Review.and.Complete",
31 "Review.&.Sign",
32 "SignOnline",
33 "Signature.Request",
34 "Shared.Completed",
35 "Sign.and.Seal",
36 "viaSign",
37 "D0cuSign",
38 "DocsID",
39 "Complete.{0,10}DocuSign",
40 "Enroll & Sign",
41 "Review and Sign",
42 "SignReport",
43 "SignDoc",
44 "Docxxx",
45 "docufile",
46 "E-Sign&Return",
47 "document.signature",
48 )
49 )
50 and (
51 // unusal repeated patterns in HTML
52 regex.icontains(body.html.raw, '((<br\s*/?>\s*){20,}|\n{20,})')
53 or regex.icontains(body.html.raw, '(<p[^>]*>\s*<br\s*/?>\s*</p>\s*){30,}')
54 or regex.icontains(body.html.raw,
55 '(<p class=".*?"><span style=".*?"><o:p> </o:p></span></p>\s*){30,}'
56 )
57 or regex.icontains(body.html.raw, '(<p> </p>\s*){7,}')
58 or regex.icontains(body.html.raw, '(<p[^>]*>\s* <br>\s*</p>\s*){5,}')
59 or regex.icontains(body.html.raw, '(<p[^>]*> </p>\s*){7,}')
60 or strings.count(body.html.raw, '  ') > 50
61 or regex.count(body.html.raw,
62 '<span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]\s*<\/span><span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]+\s*<\/span>'
63 ) > 50
64 // lookalike docusign
65 or regex.icontains(body.html.raw, '>Docus[1l]gn<')
66 // common greetings via email.local_part
67 or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part))
68 )
69 and (
70 any(body.links,
71 regex.icontains(.display_text,
72 "activate",
73 "re-auth",
74 "verify",
75 "acknowledg",
76 "(keep|change).{0,20}(active|password|access)",
77 '((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
78 'use.same.pass',
79 'validate.{0,15}account',
80 'recover.{0,15}messages',
81 '(retry|update).{0,10}payment',
82 'check activity',
83 '(listen|play).{0,10}(vm|voice)',
84 'clarify.{0,20}(deposit|wallet|funds)',
85 'enter.{0,15}teams',
86 'Review and sign'
87 )
88 )
89 or any(body.links,
90 (
91 regex.contains(.display_text,
92 "\\bVIEW",
93 "DOWNLOAD",
94 "CHECK",
95 "KEEP.(SAME|MY)",
96 "VERIFY",
97 "ACCESS\\b",
98 "SIGN\\b",
99 "ENABLE\\b",
100 "RETAIN",
101 "PLAY",
102 "LISTEN",
103 )
104 and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$")
105 )
106 )
107 )
108 and (
109 not profile.by_sender().solicited
110 or (
111 profile.by_sender().any_messages_malicious_or_spam
112 and not profile.by_sender().any_false_positives
113 )
114 )
115 and not profile.by_sender().any_false_positives
116
117 // negate replies/fowards containing legitimate docs
118 and not (
119 length(headers.references) > 0
120 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
121 )
122
123 // negate highly trusted sender domains unless they fail DMARC authentication
124 and (
125 (
126 sender.email.domain.root_domain in $high_trust_sender_root_domains
127 and (
128 any(distinct(headers.hops, .authentication_results.dmarc is not null),
129 strings.ilike(.authentication_results.dmarc, "*fail")
130 )
131 )
132 )
133 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
134 )
135
136attack_types:
137 - "Credential Phishing"
138tactics_and_techniques:
139 - "Social engineering"
140detection_methods:
141 - "Content analysis"
142 - "Header analysis"
143 - "HTML analysis"
144 - "URL analysis"
145 - "Sender analysis"
146id: "9b68c2d8-951e-5e04-9fa3-2ca67d9226a6"