detection.wiki

Detection rules › Sublime MQL

Credential phishing: DocuSign embedded image lure with no DocuSign domains in links

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.links (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
sender
sender.email
type

Rule body MQL

type.inbound
// link boundary
and length(filter(body.links, .href_url.domain.valid)) < 25

// there are no attachments, or only small, likely signature images
and (
  length(attachments) == 0
  or (
    length(attachments) > 0
    and all(attachments, .size < 8000 and .file_type in $file_types_images)
  )
)

// Screenshot indicates a docusign logo or docusign name with cta to documents
and (
  (
    //
    // This rule makes use of a beta feature and is subject to change without notice
    // using the beta feature in custom rules is not suggested until it has been formally released
    //
    strings.ilike(beta.ocr(file.message_screenshot()).text, "*DocuSign*")
    or any(ml.logo_detect(file.message_screenshot()).brands,
           .name == "DocuSign"
    )
  )
  and (
    (
      (
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        regex.icontains(beta.ocr(file.message_screenshot()).text,
                        "((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
                        "Your document has been completed",
                        "New Document Shared with you",
                        "Kindly click the link",
                        "important edocs",
                        // German (Document (check|check|sign|sent))
                        "Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
        )
        // German (important|urgent|immediate) but not in the Microsoft link
        or (
          (
            any(body.links,
                .display_text == "Erfahren Sie, warum dies wichtig ist"
                and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
            )
            and regex.icount(beta.ocr(file.message_screenshot()).text,
                             "(wichtig|dringend|sofort)"
            ) > 1
          )
          or (
            not any(body.links,
                    .display_text == "Erfahren Sie, warum dies wichtig ist"
                    and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
            )
            and regex.icount(beta.ocr(file.message_screenshot()).text,
                             "(wichtig|dringend|sofort)"
            ) > 0
          )
        )
      )
      and any(body.links,
              not strings.ilike(.href_url.domain.root_domain, "docusign.*")
              and (.display_text is null and .display_url.url is null)
      )
    )
    or any(body.links,
           not strings.ilike(.href_url.domain.root_domain, "docusign.*")
           and (
             regex.icontains(strings.replace_confusables(.display_text),
                             '(\bdocument|(view|get your) (docu|file))'
             )
             or strings.icontains(.display_text,
                                  "R\u{200F}E\u{200F}V\u{200F}I\u{200F}E\u{200F}W\u{200F} \u{200F}D\u{200F}O\u{200F}C\u{200F}U\u{200F}M\u{200F}E\u{200F}N\u{200F}T\u{200F}"
             )
           )
    )
  )
)

// links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

// negate legit replies
and not (length(headers.references) > 0 or headers.in_reply_to is not null)
and not profile.by_sender().any_messages_benign

// negate docusign X-Return-Path
and not any(headers.hops,
            .index == 0
            and any(.fields,
                    .name == "X-Return-Path"
                    and strings.ends_with(.value, "docusign.net")
            )
)

// negate "via" senders via dmarc authentication
and (
  not coalesce(headers.auth_summary.dmarc.pass
               and strings.contains(sender.display_name, "via")
               and sender.email.domain.domain in $org_domains,
               false
  )
)

Detection logic

Scope: inbound message.

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.

  1. inbound message
  2. length(filter(body.links, .href_url.domain.valid)) < 25
  3. any of:
    • length(attachments) is 0
    • all of:
      • length(attachments) > 0
      • all of attachments where all hold:
        • .size < 8000
        • .file_type in $file_types_images
  4. all of:
    • any of:
      • beta.ocr(file.message_screenshot()).text matches '*DocuSign*'
      • any of ml.logo_detect(file.message_screenshot()).brands where:
        • .name is 'DocuSign'
    • any of:
      • all of:
        • any of:
          • beta.ocr(file.message_screenshot()).text matches any of 6 patterns
            • ((re)?view|access|sign|complete(d)?) documen(t)?(s)?
            • Your document has been completed
            • New Document Shared with you
            • Kindly click the link
            • important edocs
            • Dokument (überprüfen|prüfen|unterschreiben|geschickt)
          • any of:
            • all of:
              • any of body.links where all hold:
                • .display_text is 'Erfahren Sie, warum dies wichtig ist'
                • .href_url.url is 'https://aka.ms/LearnAboutSenderIdentification'
              • regex.icount(beta.ocr(file.message_screenshot()).text, '(wichtig|dringend|sofort)') > 1
            • all of:
              • not:
                • any of body.links where all hold:
                  • .display_text is 'Erfahren Sie, warum dies wichtig ist'
                  • .href_url.url is 'https://aka.ms/LearnAboutSenderIdentification'
              • regex.icount(beta.ocr(file.message_screenshot()).text, '(wichtig|dringend|sofort)') > 0
        • any of body.links where all hold:
          • not:
            • .href_url.domain.root_domain matches 'docusign.*'
          • all of:
            • .display_text is missing
            • .display_url.url is missing
      • any of body.links where all hold:
        • not:
          • .href_url.domain.root_domain matches 'docusign.*'
        • any of:
          • strings.replace_confusables(.display_text) matches '(\\bdocument|(view|get your) (docu|file))'
          • .display_text contains 'R\\u{200F}E\\u{200F}V\\u{200F}I\\u{200F}E\\u{200F}W\\u{200F} \\u{200F}D\\u{200F}O\\u{200F}C\\u{200F}U\\u{200F}M\\u{200F}E\\u{200F}N\\u{200F}T\\u{200F}'
  5. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  6. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  7. none of:
    • length(headers.references) > 0
    • headers.in_reply_to is set
  8. not:
    • profile.by_sender().any_messages_benign
  9. not:
    • any of headers.hops where all hold:
      • .index is 0
      • any of .fields where all hold:
        • .name is 'X-Return-Path'
        • .value ends with 'docusign.net'
  10. not:
    • coalesce(headers.auth_summary.dmarc.pass and strings.contains(sender.display_name, 'via') and sender.email.domain.domain in $org_domains)

Inspects: attachments[].file_type, attachments[].size, body.links, body.links[].display_text, body.links[].display_url.url, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.valid, body.links[].href_url.url, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, headers.hops[].index, headers.in_reply_to, headers.references, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: beta.ocr, file.message_screenshot, ml.logo_detect, profile.by_sender, regex.icontains, regex.icount, strings.contains, strings.ends_with, strings.icontains, strings.ilike, strings.replace_confusables. Reference lists: $file_types_images, $high_trust_sender_root_domains, $org_domains.

Indicators matched (17)

FieldMatchValue
strings.ilikesubstring*DocuSign*
ml.logo_detect(file.message_screenshot()).brands[].nameequalsDocuSign
regex.icontainsregex((re)?view|access|sign|complete(d)?) documen(t)?(s)?
regex.icontainsregexYour document has been completed
regex.icontainsregexNew Document Shared with you
regex.icontainsregexKindly click the link
regex.icontainsregeximportant edocs
regex.icontainsregexDokument (überprüfen|prüfen|unterschreiben|geschickt)
body.links[].display_textequalsErfahren Sie, warum dies wichtig ist
body.links[].href_url.urlequalshttps://aka.ms/LearnAboutSenderIdentification
regex.icountregex(wichtig|dringend|sofort)
strings.ilikesubstringdocusign.*
5 more
regex.icontainsregex(\bdocument|(view|get your) (docu|file))
strings.icontainssubstringR\u{200F}E\u{200F}V\u{200F}I\u{200F}E\u{200F}W\u{200F} \u{200F}D\u{200F}O\u{200F}C\u{200F}U\u{200F}M\u{200F}E\u{200F}N\u{200F}T\u{200F}
headers.hops[].fields[].nameequalsX-Return-Path
strings.ends_withsuffixdocusign.net
strings.containssubstringvia