Brand impersonation: DocuSign

calendar Jul 26, 2024  ·
Share on: linkedin copy

Attack impersonating a DocuSign request for signature.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: DocuSign"
 2description: |
 3    Attack impersonating a DocuSign request for signature.
 4references:
 5  - "https://playground.sublimesecurity.com?id=2d2c6472-fabb-4952-b902-573a6294aa2f"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and (
11    // orgs can have docusign.company.com
12    strings.ilike(sender.email.email, '*docusign.net*', '*docusign.com*')
13  
14    // if the above is true, you'll see a "via Docusign"
15    or strings.ilike(sender.display_name, '*docusign*')
16  
17    // detects 1 character variations,
18    // such as DocuSlgn (with an "L" instead of an "I")
19    or strings.ilevenshtein(sender.display_name, "docusign") == 1
20    or strings.ilike(sender.display_name, "*docuonline*", "*via *signature*")
21    or (
22      strings.istarts_with(body.html.inner_text, "docusign")
23      and not strings.istarts_with(body.current_thread.text, "docusign")
24    )
25  )
26  
27  // identifies the main CTA in the email, eg "Review now" or "Review document"
28  // this should always be a known docusign domain,
29  // even with branded docusign subdomains
30  and any(body.links,
31          // we've observed invisible characters in the display name
32          // such as U+034f(look carefully): "Revi͏ew Now"
33          (
34            strings.ilevenshtein(.display_text, "Review Now") <= 3
35            or (
36              strings.icontains(.display_text, "Review")
37              and not strings.icontains(.display_text, "Review Us")
38            )
39            or strings.icontains(.display_text, "Now")
40            or strings.icontains(.display_text, "document")
41          )
42          and .href_url.domain.root_domain not in ("docusign.com", "docusign.net")
43  )
44  
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    coalesce(sender.email.domain.root_domain in $high_trust_sender_root_domains
48             and not headers.auth_summary.dmarc.pass,
49             false
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )
53  
54  // adding negation for messages originating from docusigns api
55  // and the sender.display.name contains "via"
56  and not (
57    any(headers.hops,
58        any(.fields,
59            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
60        )
61    )
62    and strings.contains(sender.display_name, "via")
63  )
64  and (
65    not profile.by_sender().solicited
66    or (
67      profile.by_sender().any_messages_malicious_or_spam
68      and not profile.by_sender().any_false_positives
69    )
70  )  
71attack_types:
72  - "Credential Phishing"
73tactics_and_techniques:
74  - "Impersonation: Brand"
75  - "Lookalike domain"
76  - "Social engineering"
77  - "Spoofing"
78detection_methods:
79  - "Header analysis"
80  - "Sender analysis"
81  - "URL analysis"
82id: "4d29235c-08b9-5f9b-950e-60b05c4691fb"
to-top