Low Severity
Service Abuse: HelloSign From an Unsolicited Sender Address
Description
Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.
References
No references.
Sublime Security
Created Apr 30th, 2025 • Last updated Apr 30th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.domain.domain == "mail.hellosign.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and (
// extract the sender out of the body html template
(
// if the sender_email is available in the body
regex.icontains(body.html.raw,
'<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\)]+)\).*?</th>'
)
// check that the sender email has not been observed previously
and all(regex.iextract(body.html.raw,
'<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\).*?</th>'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
// extract the sender out of header hops if it's there
or any(headers.hops,
any(.fields,
.name == "X-Mailgun-Variables"
and strings.icontains(.value, 'on_behalf_of_email')
and all(regex.iextract(.value,
'\"on_behalf_of_email": \"(?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\",'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
)
// extract the sender from the "reply to sender" element withn the body.html.raw
or (
regex.icontains(body.html.raw,
'<a href="mailto:[^\?]+\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
)
and all(regex.iextract(body.html.raw,
'<a href="mailto:(?P<sender_email>[^\?]+@(?P<sender_domain>[^\?]+))\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
)
Playground
Test against your own EMLs or sample data.