Credential Phishing: Suspicious E-sign Agreement Document Notification
Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.
Sublime rule (View on GitHub)
1name: "Credential Phishing: Suspicious E-sign Agreement Document Notification"
2description: "Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any([subject.subject, sender.display_name],
8 regex.icontains(strings.replace_confusables(.),
9 "DocuLink",
10 "Access.&.Approved",
11 "Attend.and.Review",
12 "Completed.File",
13 "Dochsared",
14 "Docshared",
15 "DocsPoint",
16 "Document.Shared",
17 "DocuCentre",
18 "DocuCenter",
19 "DocCenter",
20 "DocsOnline",
21 "\\beSign",
22 "e\\.sign",
23 "e-doc",
24 "e-signature",
25 "eSignature",
26 "eSign&Return",
27 "eSignOnline",
28 "Fileshare",
29 "Review.and.Complete",
30 "Review.&.Sign",
31 "SignOnline",
32 "Signature.Request",
33 "Shared.Completed",
34 "Sign.and.Seal",
35 "viaSign",
36 "D0cuSign",
37 "DocsID",
38 "Complete.{0,10}DocuSign",
39 "Enroll & Sign",
40 "Review and Sign",
41 "SignReport",
42 "SignDoc",
43 "Docxxx",
44 "docufile",
45 "E-Sign&Return",
46 "document.signature",
47 )
48 )
49 and (
50 regex.icontains(body.html.raw, '((<br\s*/?>\s*){20,}|\n{20,})')
51 or regex.icontains(body.html.raw, '(<p[^>]*>\s*<br\s*/?>\s*</p>\s*){30,}')
52 or regex.icontains(body.html.raw,
53 '(<p class=".*?"><span style=".*?"><o:p> </o:p></span></p>\s*){30,}'
54 )
55 or regex.icontains(body.html.raw, '(<p> </p>\s*){7,}')
56 or regex.icontains(body.html.raw, '(<p[^>]*>\s* <br>\s*</p>\s*){5,}')
57 or regex.icontains(body.html.raw, '(<p[^>]*> </p>\s*){7,}')
58 or regex.icontains(body.html.raw, '>Docus[1l]gn<')
59 or strings.count(body.html.raw, '  ') > 50
60 or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part))
61 )
62 and (
63 any(body.links,
64 regex.icontains(.display_text,
65 "activate",
66 "re-auth",
67 "verify",
68 "acknowledg",
69 "(keep|change).{0,20}(active|password|access)",
70 '((verify|view|click|download|goto|keep|Vιew|release).{0,10}(attachment|current|download|fax|file|document|message|same)s?)',
71 'use.same.pass',
72 'validate.{0,15}account',
73 'recover.{0,15}messages',
74 '(retry|update).{0,10}payment',
75 'check activity',
76 '(listen|play).{0,10}(vm|voice)',
77 'clarify.{0,20}(deposit|wallet|funds)',
78 'enter.{0,15}teams',
79 'Review and sign'
80 )
81 )
82 or any(body.links,
83 (
84 regex.contains(.display_text,
85 "\\bVIEW",
86 "DOWNLOAD",
87 "CHECK",
88 "KEEP.(SAME|MY)",
89 "VERIFY",
90 "ACCESS\\b",
91 "SIGN\\b",
92 "ENABLE\\b",
93 "RETAIN",
94 "PLAY",
95 "LISTEN",
96 )
97 and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$")
98 )
99 )
100 )
101 and (
102 not profile.by_sender().solicited
103 or (
104 profile.by_sender().any_messages_malicious_or_spam
105 and not profile.by_sender().any_false_positives
106 )
107 )
108 and not profile.by_sender().any_false_positives
109
110 // negate highly trusted sender domains unless they fail DMARC authentication
111 and (
112 (
113 sender.email.domain.root_domain in $high_trust_sender_root_domains
114 and (
115 any(distinct(headers.hops, .authentication_results.dmarc is not null),
116 strings.ilike(.authentication_results.dmarc, "*fail")
117 )
118 )
119 )
120 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
121 )
122
123attack_types:
124 - "Credential Phishing"
125tactics_and_techniques:
126 - "Social engineering"
127detection_methods:
128 - "Content analysis"
129 - "Header analysis"
130 - "HTML analysis"
131 - "URL analysis"
132 - "Sender analysis"
133id: "9b68c2d8-951e-5e04-9fa3-2ca67d9226a6"