DocuSign Impersonation via CloudHQ Links

calendar Apr 4, 2025  ·
Share on: linkedin copy

Identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name.

Sublime rule (View on GitHub)

 1name: "DocuSign Impersonation via CloudHQ Links"
 2description: "Identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.root_domain == "cloudhq.net"
 9          and strings.starts_with(.href_url.path, "/s/")
10          and sender.email.domain.root_domain != 'cloudhq.net'
11  )
12  
13  // the subject or display_name includes docusign
14  and (
15    regex.icontains(strings.replace_confusables(subject.subject),
16                    '\bdocu\s*sign\b'
17    )
18    or regex.icontains(strings.replace_confusables(sender.display_name),
19                       '\bdocu\s*sign\b'
20    )
21  )
22  
23  // there is one unique cloudhq link in the message
24  and length(distinct(filter(body.links,
25                             .href_url.domain.root_domain == "cloudhq.net"
26                      ),
27                      .href_url.url
28             )
29  ) <= 1  
30
31attack_types:
32  - "Credential Phishing"
33  - "BEC/Fraud"
34tactics_and_techniques:
35  - "Impersonation: Brand"
36  - "Free file host"
37detection_methods:
38  - "Header analysis"
39  - "URL analysis"
40  - "Content analysis"
41  - "Sender analysis"
42id: "44ba2fee-fe36-5a53-9da8-febecab405f6"
to-top