• Sublime Core Feed
High Severity

DocuSign Impersonation via Spoofed Intuit Sender

Labels

Credential Phishing
Impersonation: Brand
Spoofing
Header analysis
Sender analysis

Description

Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name.

References

No references.

Sublime Security
Created Mar 26th, 2025 • Last updated Mar 26th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.root_domain in ("intuit.com")
// email auth fails
and (
  not headers.auth_summary.spf.pass
  or not coalesce(headers.auth_summary.dmarc.pass, false)
)
// the subject or display_name includes docusign
and (
  strings.icontains(subject.subject, "docusign")
  or strings.icontains(sender.display_name, "docusign")
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started