High Severity
HR Impersonation via E-sign Agreement Comment
Description
This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.
References
No references.
Sublime Security
Created Oct 3rd, 2024 • Last updated Nov 15th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(attachments) == 0
// Legitimate Docusign sending infratructure
and (
sender.email.domain.root_domain in (
'docusign.net',
'docusign.com',
'hellosign.com'
)
// docusing.com as a reply-to is used in updates to documents, such as views, signs, etc
and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
// check for SPF or DMARC passed
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
// HR Impersonation in body
and regex.icontains(body.current_thread.text,
(
'(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
)
)
// Request and Urgency
and (
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("urgency", "financial")
)
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
)
// Negate legitimate HR docusigns originating from within the org
and not (all(headers.reply_to, .email.domain.root_domain in $org_domains))
// Negate replies
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
Playground
Test against your own EMLs or sample data.