Service abuse: DocuSign notification with suspicious sender or document name

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Callback Phishing, BEC/Fraud
Tactics and techniques	Evasion, Social engineering

Event coverage

Message attribute
headers (collection)
headers.auth_summary
headers.reply_to (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
and length(attachments) == 0

// Legitimate Docusign sending infratructure
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(headers.reply_to) > 0
and not any(headers.reply_to,
            .email.domain.domain in $org_domains
            or .email.domain.root_domain in $high_trust_sender_root_domains
            or .email.domain.root_domain in ("docusign.net", "docusign.com")
)
// 
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
// 

// reply-to address has never sent an email to the org
and beta.profile.by_reply_to().prevalence == "new"

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

// not a completed DocuSign
// reminders are sent automatically and can be just as malicious as the initial
// users often decline malicious ones
and not strings.istarts_with(subject.subject, "Completed: ")
and not strings.istarts_with(subject.subject, "Here is your signed document: ")
and not strings.istarts_with(subject.subject, "Voided: ")
and (
  // contains the word docusign before the `via Docusign` part
  regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
  or strings.icontains(subject.subject, 'sharefile')
  or strings.icontains(subject.subject, 'helloshare')

  // sender names part of the subject
  or (
    // Billing Accounting
    regex.icontains(sender.display_name,
                    'Accounts? (?:Payable|Receivable).*via Docusign$',
                    'Billing Support.*via Docusign$'
    )

    // HR/Payroll/Legal/etc
    or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
    or regex.icontains(sender.display_name,
                       '(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
    )
    or regex.icontains(sender.display_name,
                       'Corporate Communications.*via Docusign$'
    )
    or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
    or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
    or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
    or regex.icontains(sender.display_name,
                       'Payroll Admin(?:istrator).*via Docusign$'
    )

    // IT related
    or regex.icontains(sender.display_name,
                       'IT Support.*via Docusign$',
                       'Information Technology.*via Docusign$',
                       '(?:Network|System)? Admin(?:istrator).*via Docusign$',
                       'Help Desk.*via Docusign$',
                       'Tech(?:nical) Support.*via Docusign$'
    )
  )
  // filename analysis
  // the filename is also contained in the subject line
  or (
    // scanner themed
    regex.icontains(subject.subject, 'scanne[rd]')
    // image theme
    or regex.icontains(subject.subject, '_IMG_')
    or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')

    // Invoice Themes
    or regex.icontains(subject.subject, 'Invoice')
    or regex.icontains(subject.subject, 'INV\b')
    or regex.icontains(subject.subject, 'Payment')
    or regex.icontains(subject.subject, '\bACH\b')
    or regex.icontains(subject.subject, 'Wire Confirmation')
    or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
    or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
    or regex.icontains(subject.subject, 'receipt')
    or regex.icontains(subject.subject, 'Billing')
    or regex.icontains(subject.subject, 'statement')
    or regex.icontains(subject.subject, 'Past Due')
    or regex.icontains(subject.subject, 'Remit(?:tance)?')
    or regex.icontains(subject.subject, 'Purchase Order')
    or regex.icontains(subject.subject, 'Settlementt')

    // contract language
    or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
    or regex.icontains(subject.subject, 'Claim Doc')

    // Payroll/HR
    or regex.icontains(subject.subject, 'Payroll')
    or regex.icontains(subject.subject, 'Employee Pay\b')
    or regex.icontains(subject.subject, 'Salary')
    or regex.icontains(subject.subject, 'Benefit Enrollment')
    or regex.icontains(subject.subject, 'Employee Handbook')
    or regex.icontains(subject.subject, 'Reimbursement Approved')

    // 
    // shared files/extenstion/urgency/CTA
    or regex.icontains(subject.subject, 'Urgent')
    or regex.icontains(subject.subject, 'Important')
    or regex.icontains(subject.subject, 'Secure')
    or regex.icontains(subject.subject, 'Encrypt')
    or regex.icontains(subject.subject, 'shared')
    or regex.icontains(subject.subject, 'protected')
    or regex.icontains(subject.subject, 'Validate')
    or regex.icontains(subject.subject, 'Action Required')
    or regex.icontains(subject.subject, 'Final Notice')
    or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
    or regex.icontains(subject.subject, 'Download PDF')

    // MFA theme
    or regex.icontains(subject.subject, 'Verification Code')
    or regex.icontains(subject.subject, '\bMFA\b')
  )
)

Detection logic

Scope: inbound message.

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

inbound message
length(attachments) is 0
sender.email.domain.root_domain is 'docusign.net'
any of:
- headers.auth_summary.spf.pass
- headers.auth_summary.dmarc.pass
length(headers.reply_to) > 0
not:
- any of headers.reply_to where any holds:
  - .email.domain.domain in $org_domains
  - .email.domain.root_domain in $high_trust_sender_root_domains
  - .email.domain.root_domain in ('docusign.net', 'docusign.com')
beta.profile.by_reply_to().prevalence is 'new'
not:
- beta.profile.by_reply_to().solicited
not:
- beta.profile.by_reply_to().any_messages_benign
not:
- subject.subject starts with 'Completed: '
not:
- subject.subject starts with 'Here is your signed document: '
not:
- subject.subject starts with 'Voided: '
any of:
- sender.display_name matches 'Docusign.*via Docusign$'
- subject.subject contains 'sharefile'
- subject.subject contains 'helloshare'
- sender.display_name matches any of 14 patterns
  - Accounts? (?:Payable|Receivable).*via Docusign$
  - Billing Support.*via Docusign$
  - Compliance HR.*via Docusign$
  - (?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$
  - Corporate Communications.*via Docusign$
  - Employee Relations.*via Docusign$
  - Office Manager.*via Docusign$
  - Risk Management.*via Docusign$
  - Payroll Admin(?:istrator).*via Docusign$
  - IT Support.*via Docusign$
  - Information Technology.*via Docusign$
  - (?:Network|System)? Admin(?:istrator).*via Docusign$
  - Help Desk.*via Docusign$
  - Tech(?:nical) Support.*via Docusign$
- subject.subject matches any of 38 patterns
  - scanne[rd]
  - _IMG_
  - IMG[_-](?:\d|\W)+
  - Invoice
  - INV\b
  - Payment
  - \bACH\b
  - Wire Confirmation
  - P[O0]\W+?\d+\"
  - P[O0](?:\W+?|\d+)
  - receipt
  - Billing
  - statement
  - Past Due
  - Remit(?:tance)?
  - Purchase Order
  - Settlementt
  - Pr[0o]p[0o]sal
  - Claim Doc
  - Payroll
  - Employee Pay\b
  - Salary
  - Benefit Enrollment
  - Employee Handbook
  - Reimbursement Approved
  - Urgent
  - Important
  - Secure
  - Encrypt
  - shared
  - protected
  - Validate
  - Action Required
  - Final Notice
  - Review(?: and| & |\s+)?Sign
  - Download PDF
  - Verification Code
  - \bMFA\b

Inspects: headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.reply_to, headers.reply_to[].email.domain.domain, headers.reply_to[].email.domain.root_domain, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: beta.profile.by_reply_to, regex.icontains, strings.icontains, strings.istarts_with. Reference lists: $high_trust_sender_root_domains, $org_domains.

Indicators matched (61)

Field	Match	Value
`sender.email.domain.root_domain`	equals	`docusign.net`
`headers.reply_to[].email.domain.root_domain`	member	`docusign.net`
`headers.reply_to[].email.domain.root_domain`	member	`docusign.com`
`strings.istarts_with`	prefix	`Completed:`
`strings.istarts_with`	prefix	`Here is your signed document:`
`strings.istarts_with`	prefix	`Voided:`
`regex.icontains`	regex	`Docusign.*via Docusign$`
`strings.icontains`	substring	`sharefile`
`strings.icontains`	substring	`helloshare`
`regex.icontains`	regex	`Accounts? (?:Payable\|Receivable).*via Docusign$`
`regex.icontains`	regex	`Billing Support.*via Docusign$`
`regex.icontains`	regex	`Compliance HR.*via Docusign$`

49 more

`regex.icontains`	regex	`(?:Compliance\|Executive\|Finance\|\bHR\b\|Human Resources\|\bIT\b\|Legal\|Payroll\|Purchasing\|Operations\|Security\|Training\|Support).(?:Department\|Team)?.via Docusign$`
`regex.icontains`	regex	`Corporate Communications.*via Docusign$`
`regex.icontains`	regex	`Employee Relations.*via Docusign$`
`regex.icontains`	regex	`Office Manager.*via Docusign$`
`regex.icontains`	regex	`Risk Management.*via Docusign$`
`regex.icontains`	regex	`Payroll Admin(?:istrator).*via Docusign$`
`regex.icontains`	regex	`IT Support.*via Docusign$`
`regex.icontains`	regex	`Information Technology.*via Docusign$`
`regex.icontains`	regex	`(?:Network\|System)? Admin(?:istrator).*via Docusign$`
`regex.icontains`	regex	`Help Desk.*via Docusign$`
`regex.icontains`	regex	`Tech(?:nical) Support.*via Docusign$`
`regex.icontains`	regex	`scanne[rd]`
`regex.icontains`	regex	`_IMG_`
`regex.icontains`	regex	`IMG[_-](?:\d\|\W)+`
`regex.icontains`	regex	`Invoice`
`regex.icontains`	regex	`INV\b`
`regex.icontains`	regex	`Payment`
`regex.icontains`	regex	`\bACH\b`
`regex.icontains`	regex	`Wire Confirmation`
`regex.icontains`	regex	`P[O0]\W+?\d+\"`
`regex.icontains`	regex	`P[O0](?:\W+?\|\d+)`
`regex.icontains`	regex	`receipt`
`regex.icontains`	regex	`Billing`
`regex.icontains`	regex	`statement`
`regex.icontains`	regex	`Past Due`
`regex.icontains`	regex	`Remit(?:tance)?`
`regex.icontains`	regex	`Purchase Order`
`regex.icontains`	regex	`Settlementt`
`regex.icontains`	regex	`Pr[0o]p[0o]sal`
`regex.icontains`	regex	`Claim Doc`
`regex.icontains`	regex	`Payroll`
`regex.icontains`	regex	`Employee Pay\b`
`regex.icontains`	regex	`Salary`
`regex.icontains`	regex	`Benefit Enrollment`
`regex.icontains`	regex	`Employee Handbook`
`regex.icontains`	regex	`Reimbursement Approved`
`regex.icontains`	regex	`Urgent`
`regex.icontains`	regex	`Important`
`regex.icontains`	regex	`Secure`
`regex.icontains`	regex	`Encrypt`
`regex.icontains`	regex	`shared`
`regex.icontains`	regex	`protected`
`regex.icontains`	regex	`Validate`
`regex.icontains`	regex	`Action Required`
`regex.icontains`	regex	`Final Notice`
`regex.icontains`	regex	`Review(?: and\| & \|\s+)?Sign`
`regex.icontains`	regex	`Download PDF`
`regex.icontains`	regex	`Verification Code`
`regex.icontains`	regex	`\bMFA\b`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)