Brand impersonation: DocuSign
Attack impersonating a DocuSign request for signature.
Sublime rule (View on GitHub)
1name: "Brand impersonation: DocuSign"
2description: |
3 Attack impersonating a DocuSign request for signature.
4references:
5 - "https://playground.sublimesecurity.com?id=2d2c6472-fabb-4952-b902-573a6294aa2f"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 // orgs can have docusign.company.com
12 strings.ilike(sender.email.email, '*docusign.net*', '*docusign.com*')
13
14 // if the above is true, you'll see a "via Docusign"
15 or strings.ilike(sender.display_name, '*docusign*')
16
17 // detects 1 character variations,
18 // such as DocuSlgn (with an "L" instead of an "I")
19 or strings.ilevenshtein(sender.display_name, "docusign") == 1
20 or strings.ilike(sender.display_name, "*docuonline*", "*via *signature*")
21 or (
22 strings.istarts_with(body.html.inner_text, "docusign")
23 and not strings.istarts_with(body.current_thread.text, "docusign")
24 )
25 )
26
27 // identifies the main CTA in the email, eg "Review now" or "Review document"
28 // this should always be a known docusign domain,
29 // even with branded docusign subdomains
30 and any(body.links,
31 // we've observed invisible characters in the display name
32 // such as U+034f(look carefully): "Revi͏ew Now"
33 (
34 strings.ilevenshtein(.display_text, "Review Now") <= 3
35 or (
36 strings.icontains(.display_text, "Review")
37 and not strings.icontains(.display_text, "Review Us")
38 )
39 or strings.icontains(.display_text, "Now")
40 or strings.icontains(.display_text, "document")
41 )
42 and .href_url.domain.root_domain not in ("docusign.com", "docusign.net")
43 )
44
45 // negate highly trusted sender domains unless they fail DMARC authentication
46 and (
47 coalesce(sender.email.domain.root_domain in $high_trust_sender_root_domains
48 and not headers.auth_summary.dmarc.pass,
49 false
50 )
51 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52 )
53
54 // adding negation for messages originating from docusigns api
55 // and the sender.display.name contains "via"
56 and not (
57 any(headers.hops,
58 any(.fields,
59 .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
60 )
61 )
62 and strings.contains(sender.display_name, "via")
63 )
64 and (
65 not profile.by_sender().solicited
66 or (
67 profile.by_sender().any_messages_malicious_or_spam
68 and not profile.by_sender().any_false_positives
69 )
70 )
71attack_types:
72 - "Credential Phishing"
73tactics_and_techniques:
74 - "Impersonation: Brand"
75 - "Lookalike domain"
76 - "Social engineering"
77 - "Spoofing"
78detection_methods:
79 - "Header analysis"
80 - "Sender analysis"
81 - "URL analysis"
82id: "4d29235c-08b9-5f9b-950e-60b05c4691fb"