High Severity
Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links
Description
Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.
References
No references.
Sublime Security
Created Nov 21st, 2023 • Last updated Sep 26th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
// link boundary
and length(filter(body.links, .href_url.domain.valid)) < 25
// there are no attachments, or only small, likely signature images
and (
length(attachments) == 0
or (
length(attachments) > 0
and all(attachments, .size < 8000 and .file_type in $file_types_images)
)
)
// Screenshot indicates a docusign logo or docusign name with cta to documents
and (
any(file.explode(beta.message_screenshot()),
(
strings.ilike(.scan.ocr.raw, "*DocuSign*")
or any(ml.logo_detect(beta.message_screenshot()).brands,
.name == "DocuSign"
)
)
and (
(
(
regex.icontains(.scan.ocr.raw,
"((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
"Your document has been completed",
"New Document Shared with you",
"Kindly click the link",
"important edocs",
// German (Document (check|check|sign|sent))
"Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
)
// German (important|urgent|immediate) but not in the Microsoft link
or (
(
any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(.scan.ocr.raw, "(wichtig|dringend|sofort)") > 1
)
or (
not any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(.scan.ocr.raw, "(wichtig|dringend|sofort)") > 0
)
)
)
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (.display_text is null and .display_url.url is null)
)
)
or any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and regex.icontains(.display_text,
'(\bdocument|(view|get your) (docu|file))'
)
)
)
)
)
// links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and not profile.by_sender().any_false_positives
// negate docusign X-Return-Path
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Return-Path"
and strings.ends_with(.value, "docusign.net")
)
)
// negate "via" senders via dmarc authentication
and (
not coalesce(headers.auth_summary.dmarc.pass
and strings.contains(sender.display_name, "via")
and sender.email.domain.domain in $org_domains,
false
)
)
Playground
Test against your own EMLs or sample data.