Link: Multistage landing - Abused Docusign

The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Sublime rule (View on GitHub)

 1name: "Link: Multistage landing - Abused Docusign"
 2description: "The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  //
 9  // This rule makes use of a beta feature and is subject to change without notice
10  // using the beta feature in custom rules is not suggested until it has been formally released
11  //
12    
13  // reply-to email address has never been sent an email by the org
14  and not beta.profile.by_reply_to().solicited
15
16  // do not match if the reply_to address has been observed as a reply_to address
17  // of a message that has been classified as benign
18  and not beta.profile.by_reply_to().any_messages_benign
19  
20  // message is from docusign actual
21  and sender.email.domain.root_domain == 'docusign.net'
22  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
23  
24  // filter out all the links, keeping only the links of interest
25  and any(filter(body.links,
26                 // target the DocuSign link
27                 (
28                   regex.icontains(.display_text,
29                                   "((view|show).completed.document|(?:re)?view doc|view.attached)"
30                   )
31                   or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
32                   or strings.icontains(.href_url.url, '/signing/emails/v')
33                 )
34          ),
35  
36          // filter down the links on the docusign page to those that are external to docusign
37          any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
38                     .href_url.domain.root_domain != 'docusign.net'
39                     and .href_url.domain.root_domain != 'docusign.com'
40                     and .href_url.domain.root_domain not in $org_domains
41                     // relative links (no domains)
42                     and .href_url.domain.domain is not null
43              ),
44              (
45                // any of those links domains are new
46                network.whois(.href_url.domain).days_old < 30
47                // go to free file hosts
48                or .href_url.domain.root_domain in $free_file_hosts
49                or .href_url.domain.domain in $free_file_hosts
50  
51                // go to free subdomains hosts
52                or (
53                  .href_url.domain.root_domain in $free_subdomain_hosts
54                  // where there is a subdomain
55                  and .href_url.domain.subdomain is not null
56                  and .href_url.domain.subdomain != "www"
57                )
58                // go to url shortners
59                or .href_url.domain.root_domain in $url_shorteners
60                or .href_url.domain.root_domain in $social_landing_hosts
61                or .href_url.domain.domain in $url_shorteners
62                or .href_url.domain.domain in $social_landing_hosts
63                or (
64                  // find any links that mention common "action" words
65                  regex.icontains(.display_text,
66                                  '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
67                  )
68                  and (
69                    // and when visiting those links, are phishing
70                    ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
71  
72                    // hit a captcha page
73                    or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
74  
75                    // or the page redirects to common website, observed when evasion happens
76                    or (
77                      length(ml.link_analysis(., mode="aggressive").redirect_history
78                      ) > 0
79                      and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
80                    )
81                  )
82                )
83              )
84          )
85  )  
86attack_types:
87  - "Credential Phishing"
88tactics_and_techniques:
89  - "Evasion"
90  - "Free subdomain host"
91  - "Free file host"
92detection_methods:
93  - "Content analysis"
94  - "Sender analysis"
95  - "URL analysis"
96  - "Whois"
97  - "HTML analysis"
98id: "4189a645-04a5-5bdb-bf00-031442ced292"
to-top