detection.wiki

Detection rules › Sublime MQL

Brand impersonation: DocuSign PDF attachment with suspicious link

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, PDF, Social engineering

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and any(attachments,
        .file_type == "pdf"
        and any(ml.logo_detect(.).brands, .name == "DocuSign")
        and any(file.explode(.),
                length(.scan.url.urls) <= 9
                and any(.scan.url.urls,
                        .domain.root_domain not in $tranco_1m
                        and .domain.root_domain not in $org_domains
                        and .domain.root_domain != "sublimesecurity.com"
                        and not strings.ilike(.domain.root_domain, "docusign.*")
                )
        )
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    .name == "org" and .text == "DocuSign"
                )
        )
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    .name == "request"
                )
        )
)

Detection logic

Scope: inbound message.

This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.

  1. inbound message
  2. any of attachments where all hold:
    • .file_type is 'pdf'
    • any of ml.logo_detect(.).brands where:
      • .name is 'DocuSign'
    • any of file.explode(.) where all hold:
      • length(.scan.url.urls) ≤ 9
      • any of .scan.url.urls where all hold:
        • .domain.root_domain not in $tranco_1m
        • .domain.root_domain not in $org_domains
        • .domain.root_domain is not 'sublimesecurity.com'
        • not:
          • .domain.root_domain matches 'docusign.*'
    • any of file.explode(.) where:
      • any of ml.nlu_classifier(.scan.ocr.raw).entities where all hold:
        • .name is 'org'
        • .text is 'DocuSign'
    • any of file.explode(.) where:
      • any of ml.nlu_classifier(.scan.ocr.raw).entities where:
        • .name is 'request'

Inspects: attachments[].file_type, type.inbound. Sensors: file.explode, ml.logo_detect, ml.nlu_classifier, strings.ilike. Reference lists: $org_domains, $tranco_1m.

Indicators matched (6)

FieldMatchValue
attachments[].file_typeequalspdf
ml.logo_detect(attachments[]).brands[].nameequalsDocuSign
strings.ilikesubstringdocusign.*
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).entities[].nameequalsorg
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).entities[].textequalsDocuSign
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).entities[].nameequalsrequest