High Severity
Callback Phishing via DocuSign comment
Description
This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
References
No references.
Sublime Security
Created Oct 17th, 2023 • Last updated Jan 2nd, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(attachments) == 0
// Legitimate Docusign sending infratructure
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
// Docusign Logo
and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign")
// Callback Phishing
and regex.icontains(body.current_thread.text,
(
"mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
)
)
and 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b')
)
Playground
Test against your own EMLs or sample data.