Medium Severity

DocuSign impersonation via CloudHQ links

Labels

Credential Phishing

BEC/Fraud

Description

Identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name.

References

No references.

Sublime Security

Created Apr 4th, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        .href_url.domain.root_domain == "cloudhq.net"
        and strings.starts_with(.href_url.path, "/s/")
        and sender.email.domain.root_domain != 'cloudhq.net'
)

// the subject or display_name includes docusign
and (
  regex.icontains(strings.replace_confusables(subject.subject),
                  '\bdocu\s*sign\b'
  )
  or regex.icontains(strings.replace_confusables(sender.display_name),
                     '\bdocu\s*sign\b'
  )
)

// there is one unique cloudhq link in the message
and length(distinct(filter(body.links,
                           .href_url.domain.root_domain == "cloudhq.net"
                    ),
                    .href_url.url
           )
) <= 1

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.