• Sublime Core Feed
High Severity

Link: Multistage Landing - Abused Docusign

Labels

Credential Phishing
Evasion
Free subdomain host
Free file host
Content analysis
Sender analysis
URL analysis
Whois
HTML analysis

Description

The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

References

No references.

Sublime Security
Created Jul 26th, 2024 • Last updated Apr 11th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
  
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)

// filter out all the links, keeping only the links of interest
and any(filter(body.links,
               // target the DocuSign link
               (
                 regex.icontains(.display_text,
                                 "((view|show).completed.document|(?:re)?view doc|view.attached)"
                 )
                 or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
                 or strings.icontains(.href_url.url, '/signing/emails/v')
               )
        ),

        // filter down the links on the docusign page to those that are external to docusign
        any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                   .href_url.domain.root_domain != 'docusign.net'
                   and .href_url.domain.root_domain != 'docusign.com'
                   and .href_url.domain.root_domain not in $org_domains
                   // relative links (no domains)
                   and .href_url.domain.domain is not null
            ),
            (
              // any of those links domains are new
              network.whois(.href_url.domain).days_old < 30
              // go to free file hosts
              or .href_url.domain.root_domain in $free_file_hosts
              or .href_url.domain.domain in $free_file_hosts

              // go to free subdomains hosts
              or (
                .href_url.domain.root_domain in $free_subdomain_hosts
                // where there is a subdomain
                and .href_url.domain.subdomain is not null
                and .href_url.domain.subdomain != "www"
              )
              // go to url shortners
              or .href_url.domain.root_domain in $url_shorteners
              or .href_url.domain.domain in $url_shorteners
              or (
                // find any links that mention common "action" words
                regex.icontains(.display_text,
                                '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                )
                and (
                  // and when visiting those links, are phishing
                  ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"

                  // hit a captcha page
                  or ml.link_analysis(., mode="aggressive").credphish.contains_captcha

                  // or the page redirects to common website, observed when evasion happens
                  or (
                    length(ml.link_analysis(., mode="aggressive").redirect_history
                    ) > 0
                    and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
                  )
                )
              )
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started