• Credential Phishing: Suspicious E-sign Agreement Document Notification
Medium Severity

Credential Phishing: Suspicious E-sign Agreement Document Notification

Description

Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.

References

No references.

Sublime Security
Created May 15th, 2024 • Last updated May 28th, 2025
Source
type.inbound
and any([subject.subject, sender.display_name],
        regex.icontains(strings.replace_confusables(.),
                        "DocuLink",
                        "Access.&.Approved",
                        "Agreement.{0,5}Review",
                        "Attend.and.Review",
                        "Completed.File",
                        "Dochsared",
                        "Docshared",
                        "DocsPoint",
                        "Document.Shared",
                        "DocuCentre",
                        "DocuCenter",
                        "DocCenter",
                        "DocsOnline",
                        "DocSend",
                        "docsign",
                        "Docu-eSin",
                        "Docu-management",
                        "\\beSign",
                        "e\\.sign",
                        "esign.online",
                        "e-doc",
                        "e-signature",
                        "eSignature",
                        "eSign&Return",
                        "eSignOnline",
                        "Fileshare",
                        "Review.and.Complete",
                        "Review.&.Sign",
                        "SignOnline",
                        "Signature.Request",
                        "Shared.Completed",
                        "Sign.and.Seal",
                        "viaSign",
                        "D0cuSign",
                        "DocsID",
                        "Complete.{0,10}DocuSign",
                        "Enroll & Sign",
                        "Review and Sign",
                        "SignReport",
                        "SignDoc",
                        "Docxxx",
                        "docufile",
                        "E­-­S­i­g­n­&Return",
                        "document.signature",
                        "Electronic.?Signature",
                        "Complete: ",
                        "Please Review",
                        "^REVIEW$"
        )
)
and (
  // unusual repeated patterns in HTML 
  regex.icontains(body.html.raw, '((<br\s*/?>\s*){20,}|\n{20,})')
  or regex.icontains(body.html.raw, '(<p[^>]*>\s*<br\s*/?>\s*</p>\s*){30,}')
  or regex.icontains(body.html.raw,
                     '(<p class=".*?"><span style=".*?"><o:p>&nbsp;</o:p></span></p>\s*){30,}'
  )
  or regex.icontains(body.html.raw, '(<p>&nbsp;</p>\s*){7,}')
  or regex.icontains(body.html.raw, '(<p[^>]*>\s*&nbsp;<br>\s*</p>\s*){5,}')
  or regex.icontains(body.html.raw, '(<p[^>]*>&nbsp;</p>\s*){7,}')
  or strings.count(body.html.raw, '&nbsp;‌&nbsp;‌&nbsp') > 50
  or regex.count(body.html.raw,
                 '<span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]\s*<\/span><span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]+\s*<\/span>'
  ) > 50
  // lookalike docusign
  or regex.icontains(body.html.raw, '>Docus[1l]gn<')
  or (
    regex.icontains(body.html.inner_text, 'Document')
    and length(body.html.inner_text) < 300
  )
  // common greetings via email.local_part
  or any(recipients.to,
         // use count to ensure the email address is not part of a disclaimer
         strings.icount(body.current_thread.text, .email.local_part) > 
         // sum allows us to add more logic as needed
         sum([
               strings.icount(body.current_thread.text,
                              strings.concat('was sent to ', .email.email)
               ),
               strings.icount(body.current_thread.text,
                              strings.concat('intended for ', .email.email)
               )
             ]
         )
  )
  // Abnormally high count of mailto links in raw html
  or regex.count(body.html.raw,
                 'mailto:[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}'
  ) > 50

  // High count of empty elements (padding) 
  or regex.count(body.html.raw,
                 '<(?:p|div|span|td)[^>]*>\s*(?:&nbsp;|\s)*\s*</(?:p|div|span|td)>'
  ) > 30

  // HR impersonation
  or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*")
)
and (
  any(body.links,

      // suspicious content within link display_text
      regex.icontains(.display_text,
                      "activate",
                      "re-auth",
                      "verify",
                      "acknowledg",
                      "(keep|change).{0,20}(active|password|access)",
                      '((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
                      'use.same.pass',
                      'validate.{0,15}account',
                      'recover.{0,15}messages',
                      '(retry|update).{0,10}payment',
                      'check activity',
                      '(listen|play).{0,10}(vm|voice)',
                      'clarify.{0,20}(deposit|wallet|funds)',
                      'enter.{0,15}teams',
                      'Review and sign',
                      'REVIEW.*DOCUMENT'
      )
      // check that the display_text is all lowercase
      or (
        regex.contains(.display_text,
                       "\\bVIEW",
                       "DOWNLOAD",
                       "CHECK",
                       "KEEP.(SAME|MY)",
                       "VERIFY",
                       "ACCESS\\b",
                       "SIGN\\b",
                       "ENABLE\\b",
                       "RETAIN",
                       "PLAY",
                       "LISTEN",
        )
        and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$")
      )

      // the display text is _exactly_
      or .display_text in~ ("Open")
  )
  // one hyperlinked image that's not a tracking pixel
  or (
    length(html.xpath(body.html,
                      "//a//img[(@width > 5 or not(@width)) and (@height > 5 or not(@height))]"
           ).nodes
    ) == 1
    and length(body.current_thread.text) < 500
  )
  or (
    length(attachments) > 0
    and any(attachments,
            (
              regex.icontains(beta.ocr(.).text,
                              "activate",
                              "re-auth",
                              "verify",
                              "acknowledg",
                              "(keep|change).{0,20}(active|password|access)",
                              '((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
                              'use.same.pass',
                              'validate.{0,15}account',
                              'recover.{0,15}messages',
                              '(retry|update).{0,10}payment',
                              'check activity',
                              '(listen|play).{0,10}(vm|voice)',
                              'clarify.{0,20}(deposit|wallet|funds)',
                              'enter.{0,15}teams',
                              'Review and sign'
              )
            )
            or (
              any(file.explode(.),
                  regex.icontains(.scan.ocr.raw,
                                  "activate",
                                  "re-auth",
                                  "verify",
                                  "acknowledg",
                                  "(keep|change).{0,20}(active|password|access)",
                                  '((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
                                  'use.same.pass',
                                  'validate.{0,15}account',
                                  'recover.{0,15}messages',
                                  '(retry|update).{0,10}payment',
                                  'check activity',
                                  '(listen|play).{0,10}(vm|voice)',
                                  'clarify.{0,20}(deposit|wallet|funds)',
                                  'enter.{0,15}teams',
                                  'Review and sign'
                  )
              )
            )
    )
  )
)
and (
  not profile.by_sender_email().solicited
  or profile.by_sender_email().prevalence == "new"
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
)
and not profile.by_sender_email().any_messages_benign

// negate replies/fowards containing legitimate docs
and not (
  length(headers.references) > 0
  or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.