Suspicious DocuSign Share From New Domain
DocuSign shares with new reply-to addresses have been seen in recent attacks.
Sublime rule (View on GitHub)
1name: "Suspicious DocuSign Share From New Domain"
2description: "DocuSign shares with new reply-to addresses have been seen in recent attacks."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // message is from docusign actual
9 and sender.email.domain.root_domain == 'docusign.net'
10 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
11
12 //
13 // This rule makes use of a beta feature and is subject to change without notice
14 // using the beta feature in custom rules is not suggested until it has been formally released
15 //
16
17 // reply-to email address has never been sent an email by the org
18 and not beta.profile.by_reply_to().solicited
19
20 // new reply-to
21 and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
22
23 // not a completed DocuSign
24 and not strings.istarts_with(subject.subject, "Completed:")
25tags:
26 - "Attack surface reduction"
27attack_types:
28 - "BEC/Fraud"
29 - "Credential Phishing"
30tactics_and_techniques:
31 - "Evasion"
32 - "Free file host"
33 - "Impersonation: Brand"
34 - "Social engineering"
35detection_methods:
36 - "Content analysis"
37 - "Header analysis"
38 - "Sender analysis"
39id: "d430a1f3-9a47-59b2-97fc-64b4792d5143"
Related rules
- Link: Secure SharePoint file share from new or unusual sender
- Service Abuse: DocSend Share From an Unsolicited Reply-To Address
- Service Abuse: DocuSign Share From an Unsolicited Reply-To Address
- Service Abuse: Dropbox Share From New Domain
- Service Abuse: Dropbox Share From an Unsolicited Reply-To Address