• Sublime Core Feed
Medium Severity

Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d

Labels

Credential Phishing
Impersonation: Brand
PDF
Social engineering
Header analysis
Sender analysis
URL analysis
File analysis
Computer Vision
Whois

Description

This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)

References

No references.

Sublime Security
Created Oct 26th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_type == "pdf"
        and any(ml.logo_detect(.).brands, .name == "DocuSign")
        and any(file.explode(.), any(.scan.pdf.urls, network.whois(.domain).days_old <= 3))
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
  
// excludes senders that contain "via" in the display name a resilient way
and not (
  any(headers.hops,
      any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net"))
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started