Link: Multistage landing - Abused Docusign

type.inbound

//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
  
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)

// filter out all the links, keeping only the links of interest
and any(filter(body.links,
               // target the DocuSign link
               (
                 regex.icontains(.display_text,
                                 "((view|show).completed.document|(?:re)?view doc|view.attached)"
                 )
                 or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
                 or strings.icontains(.href_url.url, '/signing/emails/v')
               )
        ),

        // filter down the links on the docusign page to those that are external to docusign
        any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                   .href_url.domain.root_domain != 'docusign.net'
                   and .href_url.domain.root_domain != 'docusign.com'
                   and .href_url.domain.root_domain not in $org_domains
                   // relative links (no domains)
                   and .href_url.domain.domain is not null
            ),
            (
              // any of those links domains are new
              network.whois(.href_url.domain).days_old < 30
              // go to free file hosts
              or .href_url.domain.root_domain in $free_file_hosts
              or .href_url.domain.domain in $free_file_hosts

              // go to free subdomains hosts
              or (
                .href_url.domain.root_domain in $free_subdomain_hosts
                // where there is a subdomain
                and .href_url.domain.subdomain is not null
                and .href_url.domain.subdomain != "www"
              )
              // go to url shortners
              or .href_url.domain.root_domain in $url_shorteners
              or .href_url.domain.root_domain in $social_landing_hosts
              or .href_url.domain.domain in $url_shorteners
              or .href_url.domain.domain in $social_landing_hosts
              or (
                // find any links that mention common "action" words
                regex.icontains(.display_text,
                                '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                )
                and (
                  // and when visiting those links, are phishing
                  ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"

                  // hit a captcha page
                  or ml.link_analysis(., mode="aggressive").credphish.contains_captcha

                  // or the page redirects to common website, observed when evasion happens
                  or (
                    length(ml.link_analysis(., mode="aggressive").redirect_history
                    ) > 0
                    and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
                  )
                )
              )
            )
        )
)