Link: Multistage Landing - Abused Docusign
The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Sublime rule (View on GitHub)
1name: "Link: Multistage Landing - Abused Docusign"
2description: "The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // reply-to email address as never been sent an email by the org
9 and not any(headers.reply_to, .email.email in $recipient_emails)
10
11 // message is from docusign actual
12 and sender.email.domain.root_domain == 'docusign.net'
13 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
14
15 // filter out all the links, keeping only the links of interest
16 and any(filter(body.links,
17 // target the DocuSign link
18 (
19 regex.icontains(.display_text,
20 "((view|show).completed.document|(?:re)?view doc|view.attached)"
21 )
22 or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
23 or strings.icontains(.href_url.url, '/signing/emails/v')
24 )
25 ),
26
27 // filter down the links on the docusign page to those that are external to docusign
28 any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
29 .href_url.domain.root_domain != 'docusign.net'
30 and .href_url.domain.root_domain != 'docusign.com'
31 and .href_url.domain.root_domain not in $org_domains
32 // relative links (no domains)
33 and .href_url.domain.domain is not null
34 ),
35 (
36 // any of those links domains are new
37 network.whois(.href_url.domain).days_old < 30
38 // go to free file hosts
39 or .href_url.domain.root_domain in $free_file_hosts
40 or .href_url.domain.domain in $free_file_hosts
41
42 // go to free subdomains hosts
43 or (
44 .href_url.domain.root_domain in $free_subdomain_hosts
45 // where there is a subdomain
46 and .href_url.domain.subdomain is not null
47 and .href_url.domain.subdomain != "www"
48 )
49 // go to url shortners
50 or .href_url.domain.root_domain in $url_shorteners
51 or .href_url.domain.domain in $url_shorteners
52 or (
53 // find any links that mention common "action" words
54 regex.icontains(.display_text,
55 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
56 )
57 and (
58 // and when visiting those links, are phishing
59 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
60
61 // hit a captcha page
62 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
63
64 // or the page redirects to common website, observed when evasion happens
65 or (
66 length(ml.link_analysis(., mode="aggressive").redirect_history
67 ) > 0
68 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
69 )
70 )
71 )
72 )
73 )
74 )
75attack_types:
76 - "Credential Phishing"
77tactics_and_techniques:
78 - "Evasion"
79 - "Free subdomain host"
80 - "Free file host"
81detection_methods:
82 - "Content analysis"
83 - "Sender analysis"
84 - "URL analysis"
85 - "Whois"
86 - "HTML analysis"
87id: "4189a645-04a5-5bdb-bf00-031442ced292"