Suspicious DocuSign Share From New Domain

 1name: "Suspicious DocuSign Share From New Domain"
 2description: "DocuSign shares with new reply-to addresses have been seen in recent attacks."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // reply-to email address has never received an email from your org
 9  and not any(headers.reply_to, .email.email in $recipient_emails)
10  
11  // new reply-to
12  and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
13  
14  // message is from docusign actual
15  and sender.email.domain.root_domain == 'docusign.net'
16  and headers.auth_summary.spf.pass
17  and (
18    headers.auth_summary.spf.details.designator == 'docusign.net'
19    // observed subdomains of docusign being used (camail.docusign.net)
20    or strings.ends_with(headers.auth_summary.spf.details.designator,
21                         '.docusign.net'
22    )
23    // "domain of dse_na4@docusign.net"
24    or strings.ends_with(headers.auth_summary.spf.details.designator,
25                         '@docusign.net'
26    )
27  )
28  and headers.auth_summary.dmarc.pass
29  
30  // not a completed DocuSign
31  and not strings.istarts_with(subject.subject, "Completed:")  
32tags:
33 - "Attack surface reduction"
34attack_types:
35  - "BEC/Fraud"
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Evasion"
39  - "Free file host"
40  - "Impersonation: Brand"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Header analysis"
45  - "Sender analysis"
46id: "d430a1f3-9a47-59b2-97fc-64b4792d5143"