HR Impersonation via E-sign Agreement Comment

calendar May 5, 2025  ·
Share on: linkedin copy

This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.

Sublime rule (View on GitHub)

 1name: "HR Impersonation via E-sign Agreement Comment"
 2description: "This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  
 9  // Legitimate Docusign sending infratructure
10  and (
11    sender.email.domain.root_domain in (
12      'docusign.net',
13      'docusign.com',
14      'hellosign.com'
15    )
16    // docusing.com as a reply-to is used in updates to documents, such as views, signs, etc
17    and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
18    // check for SPF or DMARC passed
19    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
20  )
21  
22  // HR Impersonation in body
23  and regex.icontains(body.current_thread.text,
24                      (
25                        '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
26                      )
27  )
28  
29  // Request and Urgency
30  and (
31    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
32    and (
33      any(ml.nlu_classifier(body.current_thread.text).intents,
34          .name == "cred_theft" and .confidence == "high"
35      )
36      or any(ml.nlu_classifier(body.current_thread.text).entities,
37             .name in ("urgency", "financial")
38      )
39    )
40  )
41  and (
42    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
43    or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
44  )
45
46  //
47  // This rule makes use of a beta feature and is subject to change without notice
48  // using the beta feature in custom rules is not suggested until it has been formally released
49  //
50  
51   // reply-to address has never sent an email to the org
52  and beta.profile.by_reply_to().prevalence == "new"
53  
54  // reply-to email address has never been sent an email by the org
55  and not beta.profile.by_reply_to().solicited
56
57  // Negate legitimate HR docusigns originating from within the org
58  and not (all(headers.reply_to, .email.domain.root_domain in $org_domains))
59  
60  // Negate replies
61  and (
62    length(headers.references) == 0
63    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
64  )  
65
66attack_types:
67  - "BEC/Fraud"
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Evasion"
71  - "Impersonation: Brand"
72  - "Out of band pivot"
73  - "Social engineering"
74detection_methods:
75  - "Content analysis"
76  - "Header analysis"
77  - "Natural Language Understanding"
78  - "Sender analysis"
79id: "796c6f0f-7571-5b87-b53e-97948e8be474"
to-top