High Severity
Link: Multistage Landing - Abused Docusign
Description
The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
References
No references.
Sublime Security
Created Jul 26th, 2024 • Last updated Apr 11th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
// filter out all the links, keeping only the links of interest
and any(filter(body.links,
// target the DocuSign link
(
regex.icontains(.display_text,
"((view|show).completed.document|(?:re)?view doc|view.attached)"
)
or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
or strings.icontains(.href_url.url, '/signing/emails/v')
)
),
// filter down the links on the docusign page to those that are external to docusign
any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
.href_url.domain.root_domain != 'docusign.net'
and .href_url.domain.root_domain != 'docusign.com'
and .href_url.domain.root_domain not in $org_domains
// relative links (no domains)
and .href_url.domain.domain is not null
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.domain in $url_shorteners
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(., mode="aggressive").redirect_history
) > 0
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.