• Sublime Core Feed
High Severity

Brand impersonation: DocuSign with embedded QR code

Labels

Credential Phishing
Evasion
Image as content
Impersonation: Brand
QR code
Computer Vision
Content analysis
QR code analysis
Sender analysis

Description

This rule detects unsolicited messages with short bodies containing a DocuSign logo, QR code language and an embedded QR code.

References

No references.

Sublime Security
Created May 2nd, 2024 • Last updated Oct 17th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.current_thread.text) < 1000
and length(attachments) == 0
and regex.icontains(body.current_thread.text, '\bQ(\.)?R(\.)?\b')
and regex.icontains(body.current_thread.text, "scan|mobile|camera")
and any(ml.logo_detect(file.message_screenshot()).brands,
        strings.starts_with(.name, "DocuSign")
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(beta.scan_qr(file.message_screenshot()).items,
        .type is not null and regex.contains(.data, '\.')
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started