• Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains
Medium Severity

Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains

Description

Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.

References

No references.

Sublime Security
Created Apr 29th, 2024 • Last updated Jun 3rd, 2025
Source
type.inbound
and length(attachments) == 0
and (
  0 < length(body.links) < 10
  // ignore link count when the HTML is padded with whitespace
  // indicative of thread hijacking/copy-pasting
  or regex.icount(body.html.raw, '(<br\s*/?>[\s\n]*)') > 50
)
and (
  regex.icontains(body.html.raw, '<font size="[0-9]">DocuSign</font>')
  or regex.icontains(body.html.raw, '<span[^>]*style="[^"]*">DocuSign<\/span>')
  or regex.icontains(body.html.raw, '<strong>DocuSign</strong>')
  or regex.icontains(body.html.raw,
                     'D&#917540;&#917540;o&#917540;&#917540;c︀uS&#917540;&#917540;i︀gn'
  )
  or any(body.links, regex.icontains(.display_text, 'view.{0,3}doc'))
  or any(body.links, regex.contains(.display_text, '\bDOCUMENT'))
)
and (
  regex.icontains(body.html.raw, 'background:\s*rgb\(30,\s*76,\s*161\)')
  or regex.icontains(body.html.raw,
                     'background-color:\s*rgb\(30,\s*76,\s*161\)'
  )
  or regex.icontains(body.html.raw,
                     'background-color:\s*rgb\(61,\s*170,\s*73\)'
  )
  or regex.icontains(body.html.raw,
                     '<div[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>|<td[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>'
  )
  or regex.icontains(body.html.raw, 'background-color:#214e9f;')
  or regex.icontains(body.html.raw, 'background-color:#3260a7')
  or regex.icontains(body.html.raw,
                     '<table[^>]*cellspacing="0"[^>]*cellpadding="0"[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*<td[^>]*style="BACKGROUND:\s*rgb\(247,247,247\);\s*width:\s*[0-9]{2,3}px;\s*padding:20px;\s*margin:\s*[0-9]{2,3}px"[^>]*>.*<div[^>]*style="BACKGROUND:\s*rgb\(30,76,161\);\s*padding:[0-9]{2,3}px;\s*color:#EFEFEF"[^>]*align="center"[^>]*>.*DOCUMENT.*</a>'
  )
  // Docusign Blue Box template with button
  or (
    regex.icontains(body.html.raw,
                    '<(td|div)[^>]*style="[^"]*background(-color)?:\s*(#1e4ca1|rgb\(30,\s*76,\s*161\))[^"]*"[^>]*>'
    )
    and (
      regex.icontains(body.html.raw,
                      '<a[^>]*style="[^"]*background-color:\s*(#[A-Fa-f0-9]{6}|rgb\([^)]*\))[^"]*"[^>]*>.*?<span[^>]*>.*?<\/span>.*?<\/a>'
      )
      // white link with a border
      or (
        regex.icontains(body.html.raw,
                        '<a[^>]*style="[^"]*color:\s*(white|#fff|#ffffff|#FFF|#FFFFFF|rgb\(\s*255\s*,\s*255\s*,\s*255\s*\)|rgba\(\s*255\s*,\s*255\s*,\s*255\s*,\s*[0-9.]+\s*\)|rgb\(\s*100%\s*,\s*100%\s*,\s*100%\s*\))[^"]*"[^>]*>.*?<\/a>'
        )
        and regex.icontains(body.html.raw,
                            '<a[^>]*style="[^"]*border:[^"]*"[^>]*>.*?<\/a>'
        )
      )
    )
  )
)
and any(body.links,
        not strings.ilike(.href_url.domain.root_domain, "docusign.*")
        and (
          .display_text is null or regex.contains(.display_text, '\bDOCUMENT')
        )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

// negate legit replies
and not (
  length(headers.references) > 0
  or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and not profile.by_sender().any_false_positives

// negate docusign X-Return-Path
and not any(headers.hops,
            .index == 0
            and any(.fields,
                    .name == "X-Return-Path"
                    and strings.ends_with(.value, "docusign.net")
            )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.