Link: Multistage Landing - Abused Docusign

The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Sublime rule (View on GitHub)

 1name: "Link: Multistage Landing - Abused Docusign"
 2description: "The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // reply-to email address as never been sent an email by the org
 9  and not any(headers.reply_to, .email.email in $recipient_emails)
10  
11  // message is from docusign actual
12  and sender.email.domain.root_domain == 'docusign.net'
13  and headers.auth_summary.spf.pass
14  and (
15    headers.auth_summary.spf.details.designator == 'docusign.net'
16    // observed subdomains of docusign being used (camail.docusign.net)
17    or strings.ends_with(headers.auth_summary.spf.details.designator,
18                         '.docusign.net'
19    )
20  )
21  and headers.auth_summary.dmarc.pass
22  
23  // filter out all the links, keeping only the links of interest
24  and any(filter(body.links,
25                 // target the DocuSign link
26                 (
27                   regex.icontains(.display_text,
28                                   "((view|show).completed.document|(?:re)?view doc|view.attached)"
29                   )
30                   or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
31                   or strings.icontains(.href_url.url, '/signing/emails/v')
32                 )
33          ),
34  
35          // filter down the links on the docusign page to those that are external to docusign
36          any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
37                     .href_url.domain.root_domain != 'docusign.net'
38                     and .href_url.domain.root_domain != 'docusign.com'
39                     // relative links (no domains)
40                     and .href_url.domain.domain is not null
41              ),
42              (
43                // any of those links domains are new
44                network.whois(.href_url.domain).days_old < 30
45                // go to free file hosts
46                or .href_url.domain.root_domain in $free_file_hosts
47                or .href_url.domain.domain in $free_file_hosts
48  
49                // go to free subdomains hosts
50                or (
51                  .href_url.domain.root_domain in $free_subdomain_hosts
52                  // where there is a subdomain
53                  and .href_url.domain.subdomain is not null
54                  and .href_url.domain.subdomain != "www"
55                )
56                // go to url shortners
57                or .href_url.domain.root_domain in $url_shorteners
58                or .href_url.domain.domain in $url_shorteners
59                or (
60                  // find any links that mention common "action" words
61                  regex.icontains(.display_text,
62                                  '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
63                  )
64                  and (
65                    // and when visiting those links, are phishing
66                    ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
67  
68                    // hit a captcha page
69                    or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
70  
71                    // or the page redirects to common website, observed when evasion happens
72                    or (
73                      length(ml.link_analysis(., mode="aggressive").redirect_history
74                      ) > 0
75                      and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
76                    )
77                  )
78                )
79              )
80          )
81          or 
82          length(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
83                  .href_url.domain.root_domain not in ("docusign.net", "docusign.com")
84          )) > 0
85  )  
86attack_types:
87  - "Credential Phishing"
88tactics_and_techniques:
89  - "Evasion"
90  - "Free subdomain host"
91  - "Free file host"
92detection_methods:
93  - "Content analysis"
94  - "Sender analysis"
95  - "URL analysis"
96  - "Whois"
97  - "HTML analysis"
98id: "4189a645-04a5-5bdb-bf00-031442ced292"
to-top