Link: Multistage Landing - Abused Docusign
The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Docusign"
2description: "The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 //
9 // This rule makes use of a beta feature and is subject to change without notice
10 // using the beta feature in custom rules is not suggested until it has been formally released
11 //
12
13 // reply-to email address has never been sent an email by the org
14 and not beta.profile.by_reply_to().solicited
15
16 // do not match if the reply_to address has been observed as a reply_to address
17 // of a message that has been classified as benign
18 and not beta.profile.by_reply_to().any_messages_benign
19
20 // message is from docusign actual
21 and sender.email.domain.root_domain == 'docusign.net'
22 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
23
24 // filter out all the links, keeping only the links of interest
25 and any(filter(body.links,
26 // target the DocuSign link
27 (
28 regex.icontains(.display_text,
29 "((view|show).completed.document|(?:re)?view doc|view.attached)"
30 )
31 or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
32 or strings.icontains(.href_url.url, '/signing/emails/v')
33 )
34 ),
35
36 // filter down the links on the docusign page to those that are external to docusign
37 any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
38 .href_url.domain.root_domain != 'docusign.net'
39 and .href_url.domain.root_domain != 'docusign.com'
40 and .href_url.domain.root_domain not in $org_domains
41 // relative links (no domains)
42 and .href_url.domain.domain is not null
43 ),
44 (
45 // any of those links domains are new
46 network.whois(.href_url.domain).days_old < 30
47 // go to free file hosts
48 or .href_url.domain.root_domain in $free_file_hosts
49 or .href_url.domain.domain in $free_file_hosts
50
51 // go to free subdomains hosts
52 or (
53 .href_url.domain.root_domain in $free_subdomain_hosts
54 // where there is a subdomain
55 and .href_url.domain.subdomain is not null
56 and .href_url.domain.subdomain != "www"
57 )
58 // go to url shortners
59 or .href_url.domain.root_domain in $url_shorteners
60 or .href_url.domain.domain in $url_shorteners
61 or (
62 // find any links that mention common "action" words
63 regex.icontains(.display_text,
64 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
65 )
66 and (
67 // and when visiting those links, are phishing
68 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
69
70 // hit a captcha page
71 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
72
73 // or the page redirects to common website, observed when evasion happens
74 or (
75 length(ml.link_analysis(., mode="aggressive").redirect_history
76 ) > 0
77 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
78 )
79 )
80 )
81 )
82 )
83 )
84attack_types:
85 - "Credential Phishing"
86tactics_and_techniques:
87 - "Evasion"
88 - "Free subdomain host"
89 - "Free file host"
90detection_methods:
91 - "Content analysis"
92 - "Sender analysis"
93 - "URL analysis"
94 - "Whois"
95 - "HTML analysis"
96id: "4189a645-04a5-5bdb-bf00-031442ced292"