Credential Phishing: Suspicious E-sign Agreement Document Notification

Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.

Sublime rule (View on GitHub)

  1name: "Credential Phishing: Suspicious E-sign Agreement Document Notification"
  2description: "Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and any([subject.subject, sender.display_name],
  8          regex.icontains(strings.replace_confusables(.),
  9                          "DocuLink",
 10                          "Access.&.Approved",
 11                          "Attend.and.Review",
 12                          "Completed.File",
 13                          "Dochsared",
 14                          "Docshared",
 15                          "DocsPoint",
 16                          "Document.Shared",
 17                          "DocuCentre",
 18                          "DocuCenter",
 19                          "DocCenter",
 20                          "DocsOnline",
 21                          "DocSend",
 22                          "\\beSign",
 23                          "e\\.sign",
 24                          "e-doc",
 25                          "e-signature",
 26                          "eSignature",
 27                          "eSign&Return",
 28                          "eSignOnline",
 29                          "Fileshare",
 30                          "Review.and.Complete",
 31                          "Review.&.Sign",
 32                          "SignOnline",
 33                          "Signature.Request",
 34                          "Shared.Completed",
 35                          "Sign.and.Seal",
 36                          "viaSign",
 37                          "D0cuSign",
 38                          "DocsID",
 39                          "Complete.{0,10}DocuSign",
 40                          "Enroll & Sign",
 41                          "Review and Sign",
 42                          "SignReport",
 43                          "SignDoc",
 44                          "Docxxx",
 45                          "docufile",
 46                          "E­-­S­i­g­n­&Return",
 47                          "document.signature",
 48          )
 49  )
 50  and (
 51    // unusal repeated patterns in HTML 
 52    regex.icontains(body.html.raw, '((<br\s*/?>\s*){20,}|\n{20,})')
 53    or regex.icontains(body.html.raw, '(<p[^>]*>\s*<br\s*/?>\s*</p>\s*){30,}')
 54    or regex.icontains(body.html.raw,
 55                       '(<p class=".*?"><span style=".*?"><o:p>&nbsp;</o:p></span></p>\s*){30,}'
 56    )
 57    or regex.icontains(body.html.raw, '(<p>&nbsp;</p>\s*){7,}')
 58    or regex.icontains(body.html.raw, '(<p[^>]*>\s*&nbsp;<br>\s*</p>\s*){5,}')
 59    or regex.icontains(body.html.raw, '(<p[^>]*>&nbsp;</p>\s*){7,}')
 60    or strings.count(body.html.raw, '&nbsp;‌&nbsp;‌&nbsp') > 50
 61    or regex.count(body.html.raw,
 62                  '<span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]\s*<\/span><span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]+\s*<\/span>'
 63      ) > 50
 64    // lookalike docusign
 65    or regex.icontains(body.html.raw, '>Docus[1l]gn<')
 66    // common greetings via email.local_part
 67    or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part))
 68  )
 69  and (
 70    any(body.links,
 71        regex.icontains(.display_text,
 72                        "activate",
 73                        "re-auth",
 74                        "verify",
 75                        "acknowledg",
 76                        "(keep|change).{0,20}(active|password|access)",
 77                        '((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
 78                        'use.same.pass',
 79                        'validate.{0,15}account',
 80                        'recover.{0,15}messages',
 81                        '(retry|update).{0,10}payment',
 82                        'check activity',
 83                        '(listen|play).{0,10}(vm|voice)',
 84                        'clarify.{0,20}(deposit|wallet|funds)',
 85                        'enter.{0,15}teams',
 86                        'Review and sign'
 87        )
 88    )
 89    or any(body.links,
 90           (
 91             regex.contains(.display_text,
 92                            "\\bVIEW",
 93                            "DOWNLOAD",
 94                            "CHECK",
 95                            "KEEP.(SAME|MY)",
 96                            "VERIFY",
 97                            "ACCESS\\b",
 98                            "SIGN\\b",
 99                            "ENABLE\\b",
100                            "RETAIN",
101                            "PLAY",
102                            "LISTEN",
103             )
104             and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$")
105           )
106    )
107  )
108  and (
109    not profile.by_sender().solicited
110    or (
111      profile.by_sender().any_messages_malicious_or_spam
112      and not profile.by_sender().any_false_positives
113    )
114  )
115  and not profile.by_sender().any_false_positives
116
117  // negate replies/fowards containing legitimate docs
118  and not (
119    length(headers.references) > 0
120    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
121  )
122  
123  // negate highly trusted sender domains unless they fail DMARC authentication
124  and (
125    (
126      sender.email.domain.root_domain in $high_trust_sender_root_domains
127      and (
128        any(distinct(headers.hops, .authentication_results.dmarc is not null),
129            strings.ilike(.authentication_results.dmarc, "*fail")
130        )
131      )
132    )
133    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
134  )  
135
136attack_types:
137  - "Credential Phishing"
138tactics_and_techniques:
139  - "Social engineering"
140detection_methods:
141  - "Content analysis"
142  - "Header analysis"
143  - "HTML analysis"
144  - "URL analysis"
145  - "Sender analysis"
146id: "9b68c2d8-951e-5e04-9fa3-2ca67d9226a6"
to-top