DocuSign Impersonation via Spoofed Intuit Sender

calendar Mar 26, 2025  ·
Share on: linkedin copy

Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name.

Sublime rule (View on GitHub)

 1name: "DocuSign Impersonation via Spoofed Intuit Sender"
 2description: "Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain in ("intuit.com")
 8  // email auth fails
 9  and (
10    not headers.auth_summary.spf.pass
11    or not coalesce(headers.auth_summary.dmarc.pass, false)
12  )
13  // the subject or display_name includes docusign
14  and (
15    strings.icontains(subject.subject, "docusign")
16    or strings.icontains(sender.display_name, "docusign")
17  )  
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Impersonation: Brand"
22  - "Spoofing"
23detection_methods:
24  - "Header analysis"
25  - "Sender analysis"
26id: "d437710b-ad4e-5618-93de-f559aa27ad8a"
to-top