Credential Phishing: Suspicious E-sign Agreement Document Notification

Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.

Sublime rule (View on GitHub)

  1name: "Credential Phishing: Suspicious E-sign Agreement Document Notification"
  2description: "Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and any([subject.subject, sender.display_name],
  8          regex.icontains(strings.replace_confusables(.),
  9                          "DocuLink",
 10                          "Access.&.Approved",
 11                          "Attend.and.Review",
 12                          "Completed.File",
 13                          "Dochsared",
 14                          "Docshared",
 15                          "DocsPoint",
 16                          "Document.Shared",
 17                          "DocuCentre",
 18                          "DocuCenter",
 19                          "DocCenter",
 20                          "DocsOnline",
 21                          "\\beSign",
 22                          "e\\.sign",
 23                          "eSignature",
 24                          "eSign&Return",
 25                          "eSignOnline",
 26                          "Fileshare",
 27                          "Review.and.Complete",
 28                          "Review.&.Sign",
 29                          "SignOnline",
 30                          "Signature.Request",
 31                          "Shared.Completed",
 32                          "Sign.and.Seal",
 33                          "viaSign",
 34                          "D0cuSign",
 35                          "DocsID",
 36                          "Complete.{0,10}DocuSign",
 37                          "Enroll & Sign",
 38                          "Review and Sign",
 39                          "SignReport",
 40                          "SignDoc",
 41                          "Docxxx",
 42                          "docufile",
 43                          "E­-­S­i­g­n­&Return",
 44                          "document.signature",
 45          )
 46  )
 47  and (
 48    regex.icontains(body.html.raw, '((<br\s*/?>\s*){20,}|\n{20,})')
 49    or regex.icontains(body.html.raw, '(<p[^>]*>\s*<br\s*/?>\s*</p>\s*){30,}')
 50    or regex.icontains(body.html.raw,
 51                       '(<p class=".*?"><span style=".*?"><o:p>&nbsp;</o:p></span></p>\s*){30,}'
 52    )
 53    or regex.icontains(body.html.raw, '(<p>&nbsp;</p>\s*){7,}')
 54    or regex.icontains(body.html.raw, '(<p[^>]*>\s*&nbsp;<br>\s*</p>\s*){5,}')
 55    or regex.icontains(body.html.raw, '(<p[^>]*>&nbsp;</p>\s*){7,}')
 56    or strings.count(body.html.raw, '&nbsp;‌&nbsp;‌&nbsp') > 50
 57  )
 58  and (
 59    any(body.links,
 60        regex.icontains(.display_text,
 61                        "activate",
 62                        "re-auth",
 63                        "verify",
 64                        "acknowledg",
 65                        "(keep|change).{0,20}(active|password|access)",
 66                        '((verify|view|click|download|goto|keep|Vιew|release).{0,10}(attachment|current|download|fax|file|document|message|same)s?)',
 67                        'use.same.pass',
 68                        'validate.{0,15}account',
 69                        'recover.{0,15}messages',
 70                        '(retry|update).{0,10}payment',
 71                        'check activity',
 72                        '(listen|play).{0,10}(vm|voice)',
 73                        'clarify.{0,20}(deposit|wallet|funds)',
 74                        'enter.{0,15}teams',
 75                        'Review and sign'
 76        )
 77    )
 78    or any(body.links,
 79           (
 80             regex.contains(.display_text,
 81                            "\\bVIEW",
 82                            "DOWNLOAD",
 83                            "CHECK",
 84                            "KEEP.(SAME|MY)",
 85                            "VERIFY",
 86                            "ACCESS\\b",
 87                            "SIGN\\b",
 88                            "ENABLE\\b",
 89                            "RETAIN",
 90                            "PLAY",
 91                            "LISTEN",
 92             )
 93             and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$")
 94           )
 95    )
 96  )
 97  and (
 98    not profile.by_sender().solicited
 99    or (
100      profile.by_sender().any_messages_malicious_or_spam
101      and not profile.by_sender().any_false_positives
102    )
103  )
104  and not profile.by_sender().any_false_positives
105  
106  // negate highly trusted sender domains unless they fail DMARC authentication
107  and (
108    (
109      sender.email.domain.root_domain in $high_trust_sender_root_domains
110      and (
111        any(distinct(headers.hops, .authentication_results.dmarc is not null),
112            strings.ilike(.authentication_results.dmarc, "*fail")
113        )
114      )
115    )
116    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
117  )  
118
119attack_types:
120  - "Credential Phishing"
121tactics_and_techniques:
122  - "Social engineering"
123detection_methods:
124  - "Content analysis"
125  - "Header analysis"
126  - "HTML analysis"
127  - "URL analysis"
128  - "Sender analysis"
129id: "9b68c2d8-951e-5e04-9fa3-2ca67d9226a6"
to-top