Medium Severity
Credential Phishing: Suspicious E-sign Agreement Document Notification
Description
Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.
References
No references.
Sublime Security
Created May 15th, 2024 • Last updated May 28th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any([subject.subject, sender.display_name],
regex.icontains(strings.replace_confusables(.),
"DocuLink",
"Access.&.Approved",
"Agreement.{0,5}Review",
"Attend.and.Review",
"Completed.File",
"Dochsared",
"Docshared",
"DocsPoint",
"Document.Shared",
"DocuCentre",
"DocuCenter",
"DocCenter",
"DocsOnline",
"DocSend",
"docsign",
"Docu-eSin",
"Docu-management",
"\\beSign",
"e\\.sign",
"esign.online",
"e-doc",
"e-signature",
"eSignature",
"eSign&Return",
"eSignOnline",
"Fileshare",
"Review.and.Complete",
"Review.&.Sign",
"SignOnline",
"Signature.Request",
"Shared.Completed",
"Sign.and.Seal",
"viaSign",
"D0cuSign",
"DocsID",
"Complete.{0,10}DocuSign",
"Enroll & Sign",
"Review and Sign",
"SignReport",
"SignDoc",
"Docxxx",
"docufile",
"E-Sign&Return",
"document.signature",
"Electronic.?Signature",
"Complete: ",
"Please Review",
"^REVIEW$"
)
)
and (
// unusual repeated patterns in HTML
regex.icontains(body.html.raw, '((<br\s*/?>\s*){20,}|\n{20,})')
or regex.icontains(body.html.raw, '(<p[^>]*>\s*<br\s*/?>\s*</p>\s*){30,}')
or regex.icontains(body.html.raw,
'(<p class=".*?"><span style=".*?"><o:p> </o:p></span></p>\s*){30,}'
)
or regex.icontains(body.html.raw, '(<p> </p>\s*){7,}')
or regex.icontains(body.html.raw, '(<p[^>]*>\s* <br>\s*</p>\s*){5,}')
or regex.icontains(body.html.raw, '(<p[^>]*> </p>\s*){7,}')
or strings.count(body.html.raw, '  ') > 50
or regex.count(body.html.raw,
'<span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]\s*<\/span><span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]+\s*<\/span>'
) > 50
// lookalike docusign
or regex.icontains(body.html.raw, '>Docus[1l]gn<')
or (
regex.icontains(body.html.inner_text, 'Document')
and length(body.html.inner_text) < 300
)
// common greetings via email.local_part
or any(recipients.to,
// use count to ensure the email address is not part of a disclaimer
strings.icount(body.current_thread.text, .email.local_part) >
// sum allows us to add more logic as needed
sum([
strings.icount(body.current_thread.text,
strings.concat('was sent to ', .email.email)
),
strings.icount(body.current_thread.text,
strings.concat('intended for ', .email.email)
)
]
)
)
// Abnormally high count of mailto links in raw html
or regex.count(body.html.raw,
'mailto:[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}'
) > 50
// High count of empty elements (padding)
or regex.count(body.html.raw,
'<(?:p|div|span|td)[^>]*>\s*(?: |\s)*\s*</(?:p|div|span|td)>'
) > 30
// HR impersonation
or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*")
)
and (
any(body.links,
// suspicious content within link display_text
regex.icontains(.display_text,
"activate",
"re-auth",
"verify",
"acknowledg",
"(keep|change).{0,20}(active|password|access)",
'((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
'use.same.pass',
'validate.{0,15}account',
'recover.{0,15}messages',
'(retry|update).{0,10}payment',
'check activity',
'(listen|play).{0,10}(vm|voice)',
'clarify.{0,20}(deposit|wallet|funds)',
'enter.{0,15}teams',
'Review and sign',
'REVIEW.*DOCUMENT'
)
// check that the display_text is all lowercase
or (
regex.contains(.display_text,
"\\bVIEW",
"DOWNLOAD",
"CHECK",
"KEEP.(SAME|MY)",
"VERIFY",
"ACCESS\\b",
"SIGN\\b",
"ENABLE\\b",
"RETAIN",
"PLAY",
"LISTEN",
)
and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$")
)
// the display text is _exactly_
or .display_text in~ ("Open")
)
// one hyperlinked image that's not a tracking pixel
or (
length(html.xpath(body.html,
"//a//img[(@width > 5 or not(@width)) and (@height > 5 or not(@height))]"
).nodes
) == 1
and length(body.current_thread.text) < 500
)
or (
length(attachments) > 0
and any(attachments,
(
regex.icontains(beta.ocr(.).text,
"activate",
"re-auth",
"verify",
"acknowledg",
"(keep|change).{0,20}(active|password|access)",
'((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
'use.same.pass',
'validate.{0,15}account',
'recover.{0,15}messages',
'(retry|update).{0,10}payment',
'check activity',
'(listen|play).{0,10}(vm|voice)',
'clarify.{0,20}(deposit|wallet|funds)',
'enter.{0,15}teams',
'Review and sign'
)
)
or (
any(file.explode(.),
regex.icontains(.scan.ocr.raw,
"activate",
"re-auth",
"verify",
"acknowledg",
"(keep|change).{0,20}(active|password|access)",
'((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
'use.same.pass',
'validate.{0,15}account',
'recover.{0,15}messages',
'(retry|update).{0,10}payment',
'check activity',
'(listen|play).{0,10}(vm|voice)',
'clarify.{0,20}(deposit|wallet|funds)',
'enter.{0,15}teams',
'Review and sign'
)
)
)
)
)
)
and (
not profile.by_sender_email().solicited
or profile.by_sender_email().prevalence == "new"
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
)
and not profile.by_sender_email().any_messages_benign
// negate replies/fowards containing legitimate docs
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.