Link: Multistage Landing - Abused Docusign

The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Sublime rule (View on GitHub)

 1name: "Link: Multistage Landing - Abused Docusign"
 2description: "The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // reply-to email address as never been sent an email by the org
 9  and not any(headers.reply_to, .email.email in $recipient_emails)
10  
11  // message is from docusign actual
12  and sender.email.domain.root_domain == 'docusign.net'
13  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
14  
15  // filter out all the links, keeping only the links of interest
16  and any(filter(body.links,
17                 // target the DocuSign link
18                 (
19                   regex.icontains(.display_text,
20                                   "((view|show).completed.document|(?:re)?view doc|view.attached)"
21                   )
22                   or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
23                   or strings.icontains(.href_url.url, '/signing/emails/v')
24                 )
25          ),
26  
27          // filter down the links on the docusign page to those that are external to docusign
28          any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
29                     .href_url.domain.root_domain != 'docusign.net'
30                     and .href_url.domain.root_domain != 'docusign.com'
31                     and .href_url.domain.root_domain not in $org_domains
32                     // relative links (no domains)
33                     and .href_url.domain.domain is not null
34              ),
35              (
36                // any of those links domains are new
37                network.whois(.href_url.domain).days_old < 30
38                // go to free file hosts
39                or .href_url.domain.root_domain in $free_file_hosts
40                or .href_url.domain.domain in $free_file_hosts
41  
42                // go to free subdomains hosts
43                or (
44                  .href_url.domain.root_domain in $free_subdomain_hosts
45                  // where there is a subdomain
46                  and .href_url.domain.subdomain is not null
47                  and .href_url.domain.subdomain != "www"
48                )
49                // go to url shortners
50                or .href_url.domain.root_domain in $url_shorteners
51                or .href_url.domain.domain in $url_shorteners
52                or (
53                  // find any links that mention common "action" words
54                  regex.icontains(.display_text,
55                                  '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
56                  )
57                  and (
58                    // and when visiting those links, are phishing
59                    ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
60  
61                    // hit a captcha page
62                    or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
63  
64                    // or the page redirects to common website, observed when evasion happens
65                    or (
66                      length(ml.link_analysis(., mode="aggressive").redirect_history
67                      ) > 0
68                      and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
69                    )
70                  )
71                )
72              )
73          )
74  )  
75attack_types:
76  - "Credential Phishing"
77tactics_and_techniques:
78  - "Evasion"
79  - "Free subdomain host"
80  - "Free file host"
81detection_methods:
82  - "Content analysis"
83  - "Sender analysis"
84  - "URL analysis"
85  - "Whois"
86  - "HTML analysis"
87id: "4189a645-04a5-5bdb-bf00-031442ced292"
to-top