Link: Multistage Landing - Abused Docusign
The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Docusign"
2description: "The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // reply-to email address as never been sent an email by the org
9 and not any(headers.reply_to, .email.email in $recipient_emails)
10
11 // message is from docusign actual
12 and sender.email.domain.root_domain == 'docusign.net'
13 and headers.auth_summary.spf.pass
14 and (
15 headers.auth_summary.spf.details.designator == 'docusign.net'
16 // observed subdomains of docusign being used (camail.docusign.net)
17 or strings.ends_with(headers.auth_summary.spf.details.designator,
18 '.docusign.net'
19 )
20 )
21 and headers.auth_summary.dmarc.pass
22
23 // filter out all the links, keeping only the links of interest
24 and any(filter(body.links,
25 // target the DocuSign link
26 (
27 regex.icontains(.display_text,
28 "((view|show).completed.document|(?:re)?view doc|view.attached)"
29 )
30 or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
31 or strings.icontains(.href_url.url, '/signing/emails/v')
32 )
33 ),
34
35 // filter down the links on the docusign page to those that are external to docusign
36 any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
37 .href_url.domain.root_domain != 'docusign.net'
38 and .href_url.domain.root_domain != 'docusign.com'
39 // relative links (no domains)
40 and .href_url.domain.domain is not null
41 ),
42 (
43 // any of those links domains are new
44 network.whois(.href_url.domain).days_old < 30
45 // go to free file hosts
46 or .href_url.domain.root_domain in $free_file_hosts
47 or .href_url.domain.domain in $free_file_hosts
48
49 // go to free subdomains hosts
50 or (
51 .href_url.domain.root_domain in $free_subdomain_hosts
52 // where there is a subdomain
53 and .href_url.domain.subdomain is not null
54 and .href_url.domain.subdomain != "www"
55 )
56 // go to url shortners
57 or .href_url.domain.root_domain in $url_shorteners
58 or .href_url.domain.domain in $url_shorteners
59 or (
60 // find any links that mention common "action" words
61 regex.icontains(.display_text,
62 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
63 )
64 and (
65 // and when visiting those links, are phishing
66 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
67
68 // hit a captcha page
69 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
70
71 // or the page redirects to common website, observed when evasion happens
72 or (
73 length(ml.link_analysis(., mode="aggressive").redirect_history
74 ) > 0
75 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
76 )
77 )
78 )
79 )
80 )
81 or
82 length(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
83 .href_url.domain.root_domain not in ("docusign.net", "docusign.com")
84 )) > 0
85 )
86attack_types:
87 - "Credential Phishing"
88tactics_and_techniques:
89 - "Evasion"
90 - "Free subdomain host"
91 - "Free file host"
92detection_methods:
93 - "Content analysis"
94 - "Sender analysis"
95 - "URL analysis"
96 - "Whois"
97 - "HTML analysis"
98id: "4189a645-04a5-5bdb-bf00-031442ced292"