Medium Severity

Service abuse: DocuSign notification with suspicious sender or document name

Labels

Callback Phishing

BEC/Fraud

Description

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

References

No references.

Sublime Security

Created Nov 13th, 2024 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(attachments) == 0

// Legitimate Docusign sending infratructure
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(headers.reply_to) > 0
and not any(headers.reply_to,
            .email.domain.domain in $org_domains
            or .email.domain.root_domain in $high_trust_sender_root_domains
            or .email.domain.root_domain in ("docusign.net", "docusign.com")
)
// 
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
// 

// reply-to address has never sent an email to the org
and beta.profile.by_reply_to().prevalence == "new"

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

// not a completed DocuSign
// reminders are sent automatically and can be just as malicious as the initial
// users often decline malicious ones
and not strings.istarts_with(subject.subject, "Completed: ")
and not strings.istarts_with(subject.subject, "Here is your signed document: ")
and not strings.istarts_with(subject.subject, "Voided: ")
and (
  // contains the word docusign before the `via Docusign` part
  regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
  or strings.icontains(subject.subject, 'sharefile')
  or strings.icontains(subject.subject, 'helloshare')

  // sender names part of the subject
  or (
    // Billing Accounting
    regex.icontains(sender.display_name,
                    'Accounts? (?:Payable|Receivable).*via Docusign$',
                    'Billing Support.*via Docusign$'
    )

    // HR/Payroll/Legal/etc
    or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
    or regex.icontains(sender.display_name,
                       '(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
    )
    or regex.icontains(sender.display_name,
                       'Corporate Communications.*via Docusign$'
    )
    or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
    or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
    or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
    or regex.icontains(sender.display_name,
                       'Payroll Admin(?:istrator).*via Docusign$'
    )

    // IT related
    or regex.icontains(sender.display_name,
                       'IT Support.*via Docusign$',
                       'Information Technology.*via Docusign$',
                       '(?:Network|System)? Admin(?:istrator).*via Docusign$',
                       'Help Desk.*via Docusign$',
                       'Tech(?:nical) Support.*via Docusign$'
    )
  )
  // filename analysis
  // the filename is also contained in the subject line
  or (
    // scanner themed
    regex.icontains(subject.subject, 'scanne[rd]')
    // image theme
    or regex.icontains(subject.subject, '_IMG_')
    or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')

    // Invoice Themes
    or regex.icontains(subject.subject, 'Invoice')
    or regex.icontains(subject.subject, 'INV\b')
    or regex.icontains(subject.subject, 'Payment')
    or regex.icontains(subject.subject, '\bACH\b')
    or regex.icontains(subject.subject, 'Wire Confirmation')
    or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
    or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
    or regex.icontains(subject.subject, 'receipt')
    or regex.icontains(subject.subject, 'Billing')
    or regex.icontains(subject.subject, 'statement')
    or regex.icontains(subject.subject, 'Past Due')
    or regex.icontains(subject.subject, 'Remit(?:tance)?')
    or regex.icontains(subject.subject, 'Purchase Order')
    or regex.icontains(subject.subject, 'Settlementt')

    // contract language
    or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
    or regex.icontains(subject.subject, 'Claim Doc')

    // Payroll/HR
    or regex.icontains(subject.subject, 'Payroll')
    or regex.icontains(subject.subject, 'Employee Pay\b')
    or regex.icontains(subject.subject, 'Salary')
    or regex.icontains(subject.subject, 'Benefit Enrollment')
    or regex.icontains(subject.subject, 'Employee Handbook')
    or regex.icontains(subject.subject, 'Reimbursement Approved')

    // 
    // shared files/extenstion/urgency/CTA
    or regex.icontains(subject.subject, 'Urgent')
    or regex.icontains(subject.subject, 'Important')
    or regex.icontains(subject.subject, 'Secure')
    or regex.icontains(subject.subject, 'Encrypt')
    or regex.icontains(subject.subject, 'shared')
    or regex.icontains(subject.subject, 'protected')
    or regex.icontains(subject.subject, 'Validate')
    or regex.icontains(subject.subject, 'Action Required')
    or regex.icontains(subject.subject, 'Final Notice')
    or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
    or regex.icontains(subject.subject, 'Download PDF')

    // MFA theme
    or regex.icontains(subject.subject, 'Verification Code')
    or regex.icontains(subject.subject, '\bMFA\b')
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.