• Sublime Core Feed
Medium Severity

Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d

Labels

Description

This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)

References

No references.

Sublime Security
Created Oct 26th, 2023 • Last updated Oct 26th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_type == "pdf"
        and any(ml.logo_detect(.).brands, .name == "DocuSign")
        and any(file.explode(.), any(.scan.pdf.urls, beta.whois(.domain).days_old <= 3))
)

// negate legitimate docusign infrastructure
and
  (
    (
      sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
      and (
        any(distinct(headers.hops, .authentication_results.dmarc is not null),
            strings.ilike(.authentication_results.dmarc, "*fail")
        )
      )
    )
    or sender.email.domain.root_domain not in ('docusign.net', 'docusign.com')
  )
  
// excludes senders that contain "via" in the display name a resilient way
and not (
  any(headers.hops,
      any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net"))
  )
)

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started