Medium Severity

Brand impersonation: Xodo Sign

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Sender analysis

Description

Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication.

References

No references.

Sublime Security
Created Jan 16th, 2026 • Last updated Jan 16th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and strings.icontains(body.current_thread.text, "processed by xodo sign")
and not (
  sender.email.domain.root_domain == "eversign.com"
  and headers.auth_summary.dmarc.pass
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started