HR Impersonation via E-sign Agreement Comment

This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.

Sublime rule (View on GitHub)

 1name: "HR Impersonation via E-sign Agreement Comment"
 2description: "This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  
 9  // Legitimate Docusign sending infratructure
10  and (
11    sender.email.domain.root_domain in (
12      'docusign.net',
13      'docusign.com',
14      'hellosign.com'
15    )
16    // check for SPF or DMARC passed
17    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
18  )
19  
20  // HR Impersonation in body
21  and regex.icontains(body.current_thread.text,
22                      (
23                        '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
24                      )
25  )
26  
27  // Request and Urgency
28  and (
29    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
30    and (
31      any(ml.nlu_classifier(body.current_thread.text).intents,
32          .name == "cred_theft" and .confidence == "high"
33      )
34      or any(ml.nlu_classifier(body.current_thread.text).entities,
35             .name in ("urgency", "financial")
36      )
37    )
38  )
39  and (
40    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
41    or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
42  )
43  
44  // Negate legitimate HR docusigns originating from within the org
45  and not (all(headers.reply_to, .email.domain.root_domain in $org_domains))
46  
47  // Negate replies
48  and (
49    length(headers.references) == 0
50    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
51  )  
52
53attack_types:
54  - "BEC/Fraud"
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Evasion"
58  - "Impersonation: Brand"
59  - "Out of band pivot"
60  - "Social engineering"
61detection_methods:
62  - "Content analysis"
63  - "Header analysis"
64  - "Natural Language Understanding"
65  - "Sender analysis"
66id: "796c6f0f-7571-5b87-b53e-97948e8be474"
to-top