Brand impersonation: DocuSign

Attack impersonating a DocuSign request for signature.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DocuSign"
 2description: |
 3    Attack impersonating a DocuSign request for signature.
 4references:
 5  - "https://playground.sublimesecurity.com?id=2d2c6472-fabb-4952-b902-573a6294aa2f"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and (
11    // orgs can have docusign.company.com
12    strings.ilike(sender.email.email, '*docusign.net*', '*docusign.com*')
13
14    // if the above is true, you'll see a "via Docusign"
15    or strings.ilike(sender.display_name, '*docusign*')
16
17    // detects 1 character variations,
18    // such as DocuSlgn (with an "L" instead of an "I")
19    or strings.ilevenshtein(sender.display_name, "docusign") == 1
20
21    or strings.ilike(sender.display_name, "*docuonline*", "*via *signature*")
22  )
23
24  // identifies the main CTA in the email, eg "Review now" or "Review document"
25  // this should always be a known docusign domain,
26  // even with branded docusign subdomains
27  and any(body.links,
28          // we've observed invisible characters in the display name
29          // such as U+034f(look carefully): "Revi͏ew Now"
30          (
31            strings.ilevenshtein(.display_text, "Review Now") <= 3
32            or (
33              strings.icontains(.display_text, "Review")
34              and not strings.icontains(.display_text, "Review Us")
35            )
36            or strings.icontains(.display_text, "Now")
37            or strings.icontains(.display_text, "document")
38          )
39          and .href_url.domain.root_domain not in ("docusign.com", "docusign.net")
40  )
41
42  // negate legitimate docusign infrastructure
43  and (
44    (
45      sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
46      and (
47        any(distinct(headers.hops, .authentication_results.dmarc is not null),
48            strings.ilike(.authentication_results.dmarc, "*fail")
49        )
50      )
51    )
52    or sender.email.domain.root_domain not in ('docusign.net', 'docusign.com')
53  )
54
55  // adding negation for messages originating from docusigns api
56  // and the sender.display.name contains "via"
57  and not (
58    any(headers.hops,
59        any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net"))
60    )
61    and strings.contains(sender.display_name, "via")
62  )
63  and (
64    not profile.by_sender().solicited
65    or (
66      profile.by_sender().any_messages_malicious_or_spam
67      and not profile.by_sender().any_false_positives
68    )
69  )  
70attack_types:
71  - "Credential Phishing"
72tactics_and_techniques:
73  - "Impersonation: Brand"
74  - "Lookalike domain"
75  - "Social engineering"
76  - "Spoofing"
77detection_methods:
78  - "Header analysis"
79  - "Sender analysis"
80  - "URL analysis"
81id: "4d29235c-08b9-5f9b-950e-60b05c4691fb"
to-top