Detection rules › Sublime MQL
Suspicious DocuSign share from new domain
DocuSign shares with new reply-to addresses have been seen in recent attacks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Credential Phishing |
| Tactics and techniques | Evasion, Free file host, Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
// not a completed DocuSign
and not strings.istarts_with(subject.subject, "Completed:")
Detection logic
Scope: inbound message.
DocuSign shares with new reply-to addresses have been seen in recent attacks.
- inbound message
- sender.email.domain.root_domain is 'docusign.net'
any of:
- headers.auth_summary.spf.pass
- headers.auth_summary.dmarc.pass
not:
- beta.profile.by_reply_to().solicited
any of
headers.reply_towhere:- network.whois(.email.domain).days_old < 30
not:
- subject.subject starts with 'Completed:'
Inspects: headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.reply_to, headers.reply_to[].email.domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: beta.profile.by_reply_to, network.whois, strings.istarts_with.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | equals | docusign.net |
strings.istarts_with | prefix | Completed: |