Brand impersonation: DocuSign
Attack impersonating a DocuSign request for signature.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DocuSign"
2description: |
3 Attack impersonating a DocuSign request for signature.
4references:
5 - "https://playground.sublimesecurity.com?id=2d2c6472-fabb-4952-b902-573a6294aa2f"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 // orgs can have docusign.company.com
12 strings.ilike(sender.email.email, '*docusign.net*', '*docusign.com*')
13
14 // if the above is true, you'll see a "via Docusign"
15 or strings.ilike(sender.display_name, '*docusign*')
16
17 // detects 1 character variations,
18 // such as DocuSlgn (with an "L" instead of an "I")
19 or strings.ilevenshtein(sender.display_name, "docusign") == 1
20
21 or strings.ilike(sender.display_name, "*docuonline*", "*via *signature*")
22 )
23
24 // identifies the main CTA in the email, eg "Review now" or "Review document"
25 // this should always be a known docusign domain,
26 // even with branded docusign subdomains
27 and any(body.links,
28 // we've observed invisible characters in the display name
29 // such as U+034f(look carefully): "Revi͏ew Now"
30 (
31 strings.ilevenshtein(.display_text, "Review Now") <= 3
32 or (
33 strings.icontains(.display_text, "Review")
34 and not strings.icontains(.display_text, "Review Us")
35 )
36 or strings.icontains(.display_text, "Now")
37 or strings.icontains(.display_text, "document")
38 )
39 and .href_url.domain.root_domain not in ("docusign.com", "docusign.net")
40 )
41
42 // negate legitimate docusign infrastructure
43 and (
44 (
45 sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
46 and (
47 any(distinct(headers.hops, .authentication_results.dmarc is not null),
48 strings.ilike(.authentication_results.dmarc, "*fail")
49 )
50 )
51 )
52 or sender.email.domain.root_domain not in ('docusign.net', 'docusign.com')
53 )
54
55 // adding negation for messages originating from docusigns api
56 // and the sender.display.name contains "via"
57 and not (
58 any(headers.hops,
59 any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net"))
60 )
61 and strings.contains(sender.display_name, "via")
62 )
63 and (
64 not profile.by_sender().solicited
65 or (
66 profile.by_sender().any_messages_malicious_or_spam
67 and not profile.by_sender().any_false_positives
68 )
69 )
70attack_types:
71 - "Credential Phishing"
72tactics_and_techniques:
73 - "Impersonation: Brand"
74 - "Lookalike domain"
75 - "Social engineering"
76 - "Spoofing"
77detection_methods:
78 - "Header analysis"
79 - "Sender analysis"
80 - "URL analysis"
81id: "4d29235c-08b9-5f9b-950e-60b05c4691fb"