High Severity
Brand impersonation: DocuSign (QR code)
Description
Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
References
No references.
Sublime Security
Created Nov 9th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(ml.logo_detect(.).brands,
.name == "DocuSign" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(beta.message_screenshot()).brands,
.name == "DocuSign"
)
)
and (
any(file.explode(.),
(
(
.scan.qr.type is not null
and regex.contains(.scan.qr.data, '\.')
)
or
// QR code language
(
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
// exclude images taken with mobile cameras and screenshots from android
and not any(.scan.exiftool.fields,
.key == "Model"
or (
.key == "Software"
and strings.starts_with(.value, "Android")
)
)
// exclude images taken with mobile cameras and screenshots from Apple
and not any(.scan.exiftool.fields,
.key == "DeviceManufacturer"
and .value == "Apple Computer Inc."
)
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.root_domain in (
"docusign.net",
"docusign.com"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.