Medium Severity
Service Abuse: DocuSign Share From an Unsolicited Reply-To Address
Description
DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
References
No references.
Sublime Security
Created Nov 6th, 2024 • Last updated Apr 11th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
// not a completed DocuSign
// reminders are sent automatically and can be just as malicious as the initial
// users often decline malicious ones
and not strings.istarts_with(subject.subject, "Completed: ")
and not strings.istarts_with(subject.subject, "Here is your signed document: ")
and not strings.istarts_with(subject.subject, "Voided: ")
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to address has never sent an email to the org
and beta.profile.by_reply_to().prevalence == "new"
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
Playground
Test against your own EMLs or sample data.