• Sublime Core Feed
Low Severity

Service Abuse: HelloSign From an Unsolicited Sender Address

Labels

Credential Phishing
Social engineering
Free file host
Evasion
HTML analysis
Sender analysis
Header analysis

Description

Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.

References

No references.

Sublime Security
Created Apr 30th, 2025 • Last updated Apr 30th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.domain == "mail.hellosign.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and (
  // extract the sender out of the body html template
  (
    // if the sender_email is available in the body
    regex.icontains(body.html.raw,
                    '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\)]+)\).*?</th>'
    )
    // check that the sender email has not been observed previously
    and all(regex.iextract(body.html.raw,
                           '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\).*?</th>'
            ),
            .named_groups["sender_domain"] not in $org_domains
            and .named_groups["sender_email"] not in $recipient_emails
            and .named_groups["sender_email"] not in $sender_emails
            and not (
              .named_groups["sender_domain"] not in $free_email_providers
              and .named_groups["sender_domain"] in $recipient_domains
              and .named_groups["sender_domain"] in $sender_domains
            )
    )
  )

  // extract the sender out of header hops if it's there
  or any(headers.hops,
         any(.fields,
             .name == "X-Mailgun-Variables"
             and strings.icontains(.value, 'on_behalf_of_email')
             and all(regex.iextract(.value,
                                    '\"on_behalf_of_email": \"(?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\",'
                     ),
                     .named_groups["sender_domain"] not in $org_domains
                     and .named_groups["sender_email"] not in $recipient_emails
                     and .named_groups["sender_email"] not in $sender_emails
                     and not (
                       .named_groups["sender_domain"] not in $free_email_providers
                       and .named_groups["sender_domain"] in $recipient_domains
                       and .named_groups["sender_domain"] in $sender_domains
                     )
             )
         )
  )

  // extract the sender from the "reply to sender" element withn the body.html.raw
  or (
    regex.icontains(body.html.raw,
                    '<a href="mailto:[^\?]+\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
    )
    and all(regex.iextract(body.html.raw,
                           '<a href="mailto:(?P<sender_email>[^\?]+@(?P<sender_domain>[^\?]+))\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
            ),
            .named_groups["sender_domain"] not in $org_domains
            and .named_groups["sender_email"] not in $recipient_emails
            and .named_groups["sender_email"] not in $sender_emails
            and not (
              .named_groups["sender_domain"] not in $free_email_providers
              and .named_groups["sender_domain"] in $recipient_domains
              and .named_groups["sender_domain"] in $sender_domains
            )
    )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started