HR Impersonation via E-sign Agreement Comment
This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.
Sublime rule (View on GitHub)
1name: "HR Impersonation via E-sign Agreement Comment"
2description: "This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 0
8
9 // Legitimate Docusign sending infratructure
10 and (
11 sender.email.domain.root_domain in (
12 'docusign.net',
13 'docusign.com',
14 'hellosign.com'
15 )
16 // check for SPF or DMARC passed
17 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
18 )
19
20 // HR Impersonation in body
21 and regex.icontains(body.current_thread.text,
22 (
23 '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
24 )
25 )
26
27 // Request and Urgency
28 and (
29 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
30 and (
31 any(ml.nlu_classifier(body.current_thread.text).intents,
32 .name == "cred_theft" and .confidence == "high"
33 )
34 or any(ml.nlu_classifier(body.current_thread.text).entities,
35 .name in ("urgency", "financial")
36 )
37 )
38 )
39 and (
40 any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
41 or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
42 )
43
44 // Negate legitimate HR docusigns originating from within the org
45 and not (all(headers.reply_to, .email.domain.root_domain in $org_domains))
46
47 // Negate replies
48 and (
49 length(headers.references) == 0
50 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
51 )
52
53attack_types:
54 - "BEC/Fraud"
55 - "Credential Phishing"
56tactics_and_techniques:
57 - "Evasion"
58 - "Impersonation: Brand"
59 - "Out of band pivot"
60 - "Social engineering"
61detection_methods:
62 - "Content analysis"
63 - "Header analysis"
64 - "Natural Language Understanding"
65 - "Sender analysis"
66id: "796c6f0f-7571-5b87-b53e-97948e8be474"