Brand impersonation: DocuSign

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Attack impersonating a DocuSign request for signature.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Impersonation: Brand, Lookalike domain, Social engineering, Spoofing

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.html
body.links (collection)
headers (collection)
headers.auth_summary
headers.domains (collection)
headers.hops (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  // orgs can have docusign.company.com
  strings.ilike(sender.email.email, '*docusign.net*', '*docusign.com*')

  // if the above is true, you'll see a "via Docusign"
  or strings.ilike(sender.display_name, '*docusign*')

  // detects 1 character variations,
  // such as DocuSlgn (with an "L" instead of an "I")
  or strings.ilevenshtein(sender.display_name, "docusign") == 1
  or strings.ilike(sender.display_name, "*docuonline*", "*via *signature*")
  or (
    strings.istarts_with(body.html.inner_text, "docusign")
    and not strings.istarts_with(body.current_thread.text, "docusign")
  )
  // docusign is found in current thread AND contains docusign wording within current_thread or subject
  or (
    regex.icontains(body.current_thread.text, '\bdocu.?sign\b')
    and (
      // additional context from body.current_thread.text
      strings.istarts_with(body.current_thread.text, "DOCUSIGN\n", )
      or regex.icontains(body.current_thread.text,
                         "You(?:'ve| have) received a ([^\\s]+\\s)?document"
      )
      or strings.icontains(body.current_thread.text,
                           'a document to review and sign',
      )
      or strings.icontains(body.current_thread.text,
                           'A document is available for you',
      )
      or strings.icontains(body.current_thread.text,
                           'a document ready for you',
      )
      or strings.icontains(body.current_thread.text,
                           'This email contains a secure link to DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'All parties have completed with Docusign'
      )
      or strings.icontains(body.current_thread.text,
                           'the signing of this document has been completed'
      )
      or strings.icontains(body.current_thread.text,
                           'Please use the link above to Docusign'
      )
      or strings.icontains(body.current_thread.text, 'Review on Docusign')
      or strings.icontains(body.current_thread.text, 'Completed with Docusign')
      or strings.icontains(body.current_thread.text, 'Completed on Docusign')
      or strings.icontains(body.current_thread.text, 'Complete with Docusign')
      or strings.icontains(body.current_thread.text,
                           'please review and complete with DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'We appreciate you choosing DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'A document has been sent to you for'
      )
      or strings.icontains(body.current_thread.text, 'Please Sign docusign')
      or strings.icontains(body.current_thread.text,
                           'This email was sent via DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'This email was sent to you via DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'This message was sent via DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'This message was sent to you via DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'review via DocuSign Electronic Signature'
      )
      or strings.icontains(body.current_thread.text, 'sent to you by DocuSign')
      or strings.icontains(body.current_thread.text, 'Processed by DocuSign')
      or strings.icontains(body.current_thread.text,
                           'Please read and sign the document'
      )
      or strings.icontains(body.current_thread.text,
                           'Please kindly review and sign the '
      )
      or strings.icontains(body.current_thread.text,
                           'Your document is pending review and signature'
      )
      or strings.icontains(body.current_thread.text,
                           'pending document for your signature'
      )
      or strings.icontains(body.current_thread.text,
                           'your review and signature'
      )
      or strings.icontains(body.current_thread.text, 'a pending document for')
      or strings.icontains(body.current_thread.text, 'Your document is ready')
      or strings.icontains(body.current_thread.text,
                           'This email is automatically generated by DocuSign'
      )
      or strings.icontains(body.current_thread.text,
                           'Your document has been completed'
      )
      // docusign is "near" review and sign or sign and return
      or regex.icontains(body.current_thread.text,
                         'Review\s*(?:and\s*|&\s*)Sign.{0,40}docusign',
                         'docusign.{0,40}Review\s*(?:and\s*|&\s*)Sign',
                         'Sign\s*(?:and\s*|&\s*)Return.{0,40}docusign',
                         'Sign\s*(?:and\s*|&\s*)Return.docusign.{0,40}'
      )

      // additional context from subject.subject
      or strings.icontains(subject.subject, 'complete with docusign')
      or strings.icontains(subject.subject, 'signature request')
      or regex.icontains(subject.subject, 'Review\s*(?:and\s*|&\s*)Sign')
      or regex.icontains(subject.subject, 'Sign\s*(?:and\s*|&\s*)Return')
      or strings.icontains(subject.subject, 'Please Docusign')
      or strings.icontains(subject.subject, 'Docusign has sent')
    )
  )
  or (
    // negate replies/forwards which involve a legit docusign message-id format
    not any(headers.references,
            strings.iends_with(., 'docusign.net')
            and regex.imatch(., '[0-9a-f]{32}@(?:[^\.]+\.)?docusign.net')
    )
    and (
      (
        sender.display_name is not null
        and regex.icontains(sender.display_name, '\bdocu\b')
        and strings.icontains(sender.display_name, 'sign')
      )
      or (
        subject.subject is not null
        and regex.icontains(subject.subject, '\bdocu\b')
        and strings.icontains(subject.subject, 'sign')
      )
      or (
        (
          regex.icontains(body.html.raw,
                          'Powered by.{0,6}(?:\s*<\/?[^\>]+\>\s*)+<img[^\>]+(?:src="https:\/\/docucdn-a\.akamaihd\.net\/[^\"]+email-logo.png"|alt="DocuSign")'
          )
          or regex.icontains(body.current_thread.text, 'Powered by\s*DocuSign')
        )
        // limit it to where the powered by is within the current thread
        and strings.icontains(body.current_thread.text, 'Powered by')
      )
      // footer disclaimers
      or strings.icontains(body.current_thread.text,
                           'using the Docusign Electronic Signature Service'
      )
      or strings.icontains(body.current_thread.text,
                           'who uses the DocuSign Electronic Signature Service'
      )
      or strings.icontains(body.current_thread.text,
                           'Thank you for choosing DocuSign'
      )
      or (
        (
          strings.icontains(body.current_thread.text,
                            'Alternate Signing Method'
          )
          or strings.icontains(body.current_thread.text, 'Alternative Access')
        )
        and regex.icontains(body.current_thread.text,
                            '(?:Click|Select) ''Access Documents'', and enter '
        )
      )
      or (
        strings.icontains(body.current_thread.text,
                          'Please do not share this email, link, or access code with others'
        )
        and not sender.email.domain.root_domain in (
          "insuresign.com",
          "clixsign.com",
          "esignlive.com",
          "clickcontracts.com",
          "sadq.sa",
          "vasion.com",
          "chubb.com", // insurance company
        )
      )
      or (
        strings.icontains(body.current_thread.text, 'Docusign provides a ')
        and strings.icontains(body.current_thread.text,
                              'solution for Digital Transaction Management'
        )
      )
      or strings.icontains(body.current_thread.text,
                           'a secure link to DocuSign'
      )

      // footer links
      or (
        length(filter(body.links,
                      (
                        .href_url.domain.domain == "support.docusign.com"
                        and strings.contains(.href_url.path, '/articles/')
                      )
                      or .href_url.domain.domain == "community.docusign.com"
                      or .href_url.domain.domain == "protect.docusign.com"
                      or .href_url.domain.domain == "app.esign.docusign.com"
               )
        ) >= 2
        // and the display_text for these links are within the current thread
        and (
          strings.icontains(body.current_thread.text, 'Declining to sign')
          or strings.icontains(body.current_thread.text,
                               'Managing notifications'
          )
          or strings.icontains(body.current_thread.text,
                               'How to Sign a Document'
          )
          or strings.icontains(body.current_thread.text,
                               'Docusign Support Center'
          )
          or strings.icontains(body.current_thread.text, 'Report this email')
          or strings.icontains(body.current_thread.text, 'Docusign Community')
          or strings.icontains(body.current_thread.text,
                               'Connect with our support team'
          )
          or strings.icontains(body.current_thread.text, 'Unsubscribe')
          or strings.icontains(body.current_thread.text, 'Manage Preferences')
        )
      )
    )
  )
  or (
    (
      regex.icontains(body.html.raw,
                      '<font size="?[0-9]"?[^\>]*>DocuSign</font>'
      )
      or regex.icontains(body.html.raw, '\nDocu(?:<[^\>]+>\s*)+Sign<')
      or regex.icontains(body.html.raw,
                         '<span[^>]*style="[^"]*">Docu.?Sign<\/span>'
      )
      or any(html.xpath(body.html, '//h1').nodes,
             regex.icontains(.display_text, 'Docu.?Sign')
      )
      or regex.icontains(body.html.raw,
                         '<span[^>]*style="[^"]*">(Docu|D(?:ocu?)?)<\/span>(?:<[^\>]+\>){0,2}<span[^>]*style="[^"]*">(Sign|S(?:ign?)?)<\/span>'
      )
      // any bold text contains docusign
      or any(html.xpath(body.html, '//strong').nodes,
             regex.imatch(.display_text, 'Docu.?Sign')
      )
      // title starts with Docusign
      or any(html.xpath(body.html, '//title').nodes,
             regex.icontains(.display_text, '^docu.?sign')
      )
      // a div with a class of logo contains the display text of docusign
      or any(html.xpath(body.html, '//div[@class="logo"]').nodes,
             strings.icontains(.display_text, 'Docusign')
      )
      // image contains an alt text of docusign
      or any(html.xpath(body.html, '//img/@alt').nodes, .raw =~ "docusign")

      // Basic variations with HTML encoding
      // use of regex extract allows
      or any(regex.iextract(body.html.raw,
                            '(?:D|&#68;|&#x44;)(?:&#?[0-9a-fA-F]{2,6};|\s|o|о|&#1086;|&#x43e;)(?:&#?[0-9a-fA-F]{2,6};|\s|c|с|&#1089;|&#x441;)u(?:&#?[0-9a-fA-F]{2,6};|\s)?S(?:&#?[0-9a-fA-F]{2,6};|\s|i|і|&#1110;|&#x456;)(?:&#?[0-9a-fA-F]{2,6};|\s|g|ɡ|&#609;|&#x261;)(?:n|&#110;|&#x6e;)'
             ),
             .full_match !~ "docusign"
      )
      //  Common homograph patterns
      or any(regex.iextract(body.html.raw,
                            '(?:[DⅮᎠᗞᗡ𝐃𝐷𝑫𝒟𝓓𝔇𝔻𝕯𝖣])\s*(?:[oοоօ0Ооʘ◯])\s*(?:[cсçҫ¢ϲС])\s*u\s*(?:[sѕЅ5$])\s*(?:[iіІ1l!|])\s*(?:[gǵġģ9ɡ])\s*(?:[nոռℼη𝐧𝑛𝒏𝓃𝓷𝔫𝕟𝖓])'
             ),
             .full_match !~ "docusign"
      )

      // Look for HTML entities for each letter in sequence
      or any(regex.iextract(body.html.raw,
                            '(?:D|&#68;|&#x44;)(?:o|о|&#111;|&#x6f;|&#1086;|&#x43e;|&#959;|&#x3bf;)(?:c|с|&#99;|&#x63;|&#1089;|&#x441;|&#1010;|&#231;|&#x67;|&#265;|&#x109;)(?:u|&#117;|&#x75;|&#1091;|&#x443;|&#965;|&#x3c5;)(?:s|&#115;|&#x73;|&#1109;|&#x455;)(?:i|і|&#105;|&#x69;|&#1110;|&#x456;|&#305;|&#x131;)(?:g|&#103;|&#x67;|&#609;|&#x261;|&#287;|&#x11f;)(?:n|&#110;|&#x6e;|&#1085;|&#x43d;|&#951;|&#x3b7;)'
             ),
             .full_match !~ "docusign"
      )

      // Handle repeated HTML entities and variation selectors (using Unicode class)
      or any(regex.iextract(body.html.raw,
                            'D(?:&#[0-9]{1,7};)*\p{Mn}*o(?:&#[0-9]{1,7};)*\p{Mn}*c(?:&#[0-9]{1,7};)*\p{Mn}*u(?:&#[0-9]{1,7};)*\p{Mn}*[Ss](?:&#[0-9]{1,7};)*\p{Mn}*i(?:&#[0-9]{1,7};)*\p{Mn}*g(?:&#[0-9]{1,7};)*\p{Mn}*n'
             ),
             .full_match !~ "docusign"
      )
    )
    and (
      regex.icontains(body.html.raw,
                      'b(?:ackground(?:-color)?|g?color):\s*rgb\(30,\s*76,\s*161\)',
                      'b(?:ackground(?:-color)?|g?color):\s*rgb\(61,\s*170,\s*73\)'
      )
      or regex.icontains(body.html.raw,
                         '<(?:div|td|table)[^>]*b(?:ackground(?:-color)?|g?color)(?::|=)\s*\"?#1e4ca1[^>]*>',
      )
      or regex.icontains(body.html.raw,
                         'b(?:ackground(?:-color)?|g?color)(?::|=)\s*\"?#(?:214e9f|3260a7|0056b3|1e4ca1|214395|325bb8|3c60ad)'
      )
    )
  )
  or (
    strings.icontains(body.current_thread.text, 'Docusign')
    and (
      regex.icontains(body.html.raw, '<title>[^<]*Easearch[^<]*</title>')
      or regex.icontains(body.html.raw, '<spacing>[^<]*(?:Docusign|Document)')
      or regex.icontains(body.html.raw, '{(?:domain|randomNumber\d?)}')
    )
  )
)

// identifies the main CTA in the email, eg "Review now" or "Review document"
// this should always be a known docusign domain,
// even with branded docusign subdomains
and (
  any(
      // filter links that match docusign wording
      filter(body.links,
             // we've observed invisible characters in the display name
             // such as U+034F: "Revi\x{034F}ew Now"
             (
               strings.ilevenshtein(.display_text, "Review Now") <= 3
               or strings.ilevenshtein(.display_text, "Review and Sign") <= 3
               or (
                 strings.icontains(.display_text, "Review")
                 // negate benign uses of the "review" term
                 and not (
                   strings.icontains(.display_text, "Review Us")
                   or strings.icontains(.display_text, "leave us a review")
                   or regex.icontains(.display_text, '\bReviews\b')
                   // don't match microsoft quarantine messages
                   or (
                     strings.icontains(.display_text, "Review Message")
                     and (
                       .href_url.domain.domain == "security.microsoft.com"
                       and .href_url.path == "/quarantine"
                     )
                   )
                 )
               )
               or strings.icontains(.display_text, "document")
               or strings.icontains(.display_text, "docusign")
               or strings.icontains(.display_text, "Review on Docusign")
               or strings.icontains(.display_text, "view form")
               or (
                 strings.icontains(.display_text, "Sign")
                 and regex.icontains(.display_text, '(?:in\b|now)')
               )
               or (
                 strings.icontains(.display_text, "Download")
                 and (
                   strings.icontains(.display_text, "File")
                   or strings.icontains(.display_text, "Document")
                 )
               )
               or strings.icontains(.display_text, "complete tasks")
               or strings.icontains(.display_text, "View and complete")
             )
      ),
      // ensure those links aren't legit
      not .href_url.domain.root_domain in (
        "docusign.com",
        "docusign.net",
        'docusign.co.uk',
        'docusign.com.br',
        'docusign.fr',
        // other e-signature companies which use simliar wording
        "insuresign.com",
        "clixsign.com",
        "esignlive.com",
        "clickcontracts.com",
        "adobesign.com",
        "hellosign.com",
      )
      and not (
        .href_url.domain.root_domain == "mimecastprotect.com"
        and (
          .href_url.query_params is not null
          and regex.icontains(.href_url.query_params,
                              'domain=(?:\w+\.)?docusign.(?:net|com|co\.uk|com\.br|fr)',
                              // other e-signature companies
                              'domain=(?:\w+\.)?(?:insuresign\.com|clixsign\.com|esignlive\.com|clickcontracts\.com|adobesign\.com|hellosign\.com)'
          )
        )
      )
  )
  // Suspicious attachment
  or any(attachments,
         (
           .file_extension in~ ("html", "htm", "shtml", "dhtml")
           or .file_extension in~ $file_extensions_common_archives
           or .file_type == "html"
           or .content_type == "text/html"
         )
         and 1 of (
           (
             regex.icontains(file.parse_html(.).raw, '\s{0,}<script.*')
             and regex.icontains(file.parse_html(.).raw, "</script>")
           ),
           strings.ilike(file.parse_html(.).raw,
                         "*createElement*",
                         "*appendChild*",
                         "*createObjectURL*"
           ),
           strings.icount(file.parse_html(.).raw, "/*") > 10,
           any($free_subdomain_hosts, strings.icontains(..file_name, .))
         )
  )
)

// negate highly trusted sender domains if they pass DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

// negation for messages traversing docusign.net
// happens with custom sender domains
and not (
  any(headers.domains, .root_domain == "docusign.net")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)

// adding negation for messages originating from docusigns api
// and the sender.display.name contains "via"
and not (
  any(headers.hops,
      any(.fields,
          .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
      )
  )
  and strings.contains(sender.display_name, "via")
)

Detection logic

Scope: inbound message.

Attack impersonating a DocuSign request for signature.

inbound message
any of:
- sender.email.email matches any of 2 patterns
  - *docusign.net*
  - *docusign.com*
- sender.display_name matches '*docusign*'
- sender.display_name is similar to 'docusign'
- sender.display_name matches any of 2 patterns
  - *docuonline*
  - *via *signature*
- all of:
  - body.html.inner_text starts with 'docusign'
  - not:
    
    body.current_thread.text starts with 'docusign'
- all of:
  - body.current_thread.text matches '\\bdocu.?sign\\b'
  - any of:
    
    body.current_thread.text starts with 'DOCUSIGN\\n'
    body.current_thread.text matches "You(?:'ve| have) received a ([^\\\\s]+\\\\s)?document"
    body.current_thread.text contains 'a document to review and sign'
    body.current_thread.text contains 'A document is available for you'
    body.current_thread.text contains 'a document ready for you'
    body.current_thread.text contains 'This email contains a secure link to DocuSign'
    body.current_thread.text contains 'All parties have completed with Docusign'
    body.current_thread.text contains 'the signing of this document has been completed'
    body.current_thread.text contains 'Please use the link above to Docusign'
    body.current_thread.text contains 'Review on Docusign'
    body.current_thread.text contains 'Completed with Docusign'
    body.current_thread.text contains 'Completed on Docusign'
    body.current_thread.text contains 'Complete with Docusign'
    body.current_thread.text contains 'please review and complete with DocuSign'
    body.current_thread.text contains 'We appreciate you choosing DocuSign'
    body.current_thread.text contains 'A document has been sent to you for'
    body.current_thread.text contains 'Please Sign docusign'
    body.current_thread.text contains 'This email was sent via DocuSign'
    body.current_thread.text contains 'This email was sent to you via DocuSign'
    body.current_thread.text contains 'This message was sent via DocuSign'
    body.current_thread.text contains 'This message was sent to you via DocuSign'
    body.current_thread.text contains 'review via DocuSign Electronic Signature'
    body.current_thread.text contains 'sent to you by DocuSign'
    body.current_thread.text contains 'Processed by DocuSign'
    body.current_thread.text contains 'Please read and sign the document'
    body.current_thread.text contains 'Please kindly review and sign the '
    body.current_thread.text contains 'Your document is pending review and signature'
    body.current_thread.text contains 'pending document for your signature'
    body.current_thread.text contains 'your review and signature'
    body.current_thread.text contains 'a pending document for'
    body.current_thread.text contains 'Your document is ready'
    body.current_thread.text contains 'This email is automatically generated by DocuSign'
    body.current_thread.text contains 'Your document has been completed'
    body.current_thread.text matches any of 4 patterns
    
    Review\s*(?:and\s*|&\s*)Sign.{0,40}docusign
    docusign.{0,40}Review\s*(?:and\s*|&\s*)Sign
    Sign\s*(?:and\s*|&\s*)Return.{0,40}docusign
    Sign\s*(?:and\s*|&\s*)Return.docusign.{0,40}
    subject.subject contains 'complete with docusign'
    subject.subject contains 'signature request'
    subject.subject matches 'Review\\s*(?:and\\s*|&\\s*)Sign'
    subject.subject matches 'Sign\\s*(?:and\\s*|&\\s*)Return'
    subject.subject contains 'Please Docusign'
    subject.subject contains 'Docusign has sent'
- all of:
  - not:
    
    any of headers.references where all hold:
    
    . ends with 'docusign.net'
    . matches '[0-9a-f]{32}@(?:[^\\.]+\\.)?docusign.net'
  - any of:
    
    all of:
    
    sender.display_name is set
    sender.display_name matches '\\bdocu\\b'
    sender.display_name contains 'sign'
    all of:
    
    subject.subject is set
    subject.subject matches '\\bdocu\\b'
    subject.subject contains 'sign'
    all of:
    
    any of:
    
    body.html.raw matches 'Powered by.{0,6}(?:\\s*<\\/?[^\\>]+\\>\\s*)+<img[^\\>]+(?:src="https:\\/\\/docucdn-a\\.akamaihd\\.net\\/[^\\"]+email-logo.png"|alt="DocuSign")'
    body.current_thread.text matches 'Powered by\\s*DocuSign'
    body.current_thread.text contains 'Powered by'
    body.current_thread.text contains 'using the Docusign Electronic Signature Service'
    body.current_thread.text contains 'who uses the DocuSign Electronic Signature Service'
    body.current_thread.text contains 'Thank you for choosing DocuSign'
    all of:
    
    any of:
    
    body.current_thread.text contains 'Alternate Signing Method'
    body.current_thread.text contains 'Alternative Access'
    body.current_thread.text matches "(?:Click|Select) 'Access Documents', and enter "
    all of:
    
    body.current_thread.text contains 'Please do not share this email, link, or access code with others'
    not:
    
    sender.email.domain.root_domain in ('insuresign.com', 'clixsign.com', 'esignlive.com', 'clickcontracts.com', 'sadq.sa', 'vasion.com', 'chubb.com')
    all of:
    
    body.current_thread.text contains 'Docusign provides a '
    body.current_thread.text contains 'solution for Digital Transaction Management'
    body.current_thread.text contains 'a secure link to DocuSign'
    all of:
    
    length(filter(body.links, .href_url.domain.domain == 'support.docusign.com' and strings.contains(.href_url.path, '/articles/') or .href_url.domain.domain == 'community.docusign.com' or .href_url.domain.domain == 'protect.docusign.com' or .href_url.domain.domain == 'app.esign.docusign.com')) ≥ 2
    body.current_thread.text contains any of 9 patterns
    
    Declining to sign
    Managing notifications
    How to Sign a Document
    Docusign Support Center
    Report this email
    Docusign Community
    Connect with our support team
    Unsubscribe
    Manage Preferences
- all of:
  - any of:
    
    body.html.raw matches '<font size="?[0-9]"?[^\\>]*>DocuSign</font>'
    body.html.raw matches '\\nDocu(?:<[^\\>]+>\\s*)+Sign<'
    body.html.raw matches '<span[^>]*style="[^"]*">Docu.?Sign<\\/span>'
    any of html.xpath(body.html, '//h1').nodes where:
    
    .display_text matches 'Docu.?Sign'
    body.html.raw matches '<span[^>]*style="[^"]*">(Docu|D(?:ocu?)?)<\\/span>(?:<[^\\>]+\\>){0,2}<span[^>]*style="[^"]*">(Sign|S(?:ign?)?)<\\/span>'
    any of html.xpath(body.html, '//strong').nodes where:
    
    .display_text matches 'Docu.?Sign'
    any of html.xpath(body.html, '//title').nodes where:
    
    .display_text matches '^docu.?sign'
    any of html.xpath(body.html, '//div[@class="logo"]').nodes where:
    
    .display_text contains 'Docusign'
    any of html.xpath(body.html, '//img/@alt').nodes where:
    
    .raw is 'docusign'
    any of regex.iextract(body.html.raw) where:
    
    .full_match is not 'docusign'
    any of regex.iextract(body.html.raw) where:
    
    .full_match is not 'docusign'
    any of regex.iextract(body.html.raw) where:
    
    .full_match is not 'docusign'
    any of regex.iextract(body.html.raw) where:
    
    .full_match is not 'docusign'
  - any of:
    
    body.html.raw matches any of 2 patterns
    
    b(?:ackground(?:-color)?|g?color):\s*rgb$30,\s*76,\s*161$
    b(?:ackground(?:-color)?|g?color):\s*rgb$61,\s*170,\s*73$
    body.html.raw matches '<(?:div|td|table)[^>]*b(?:ackground(?:-color)?|g?color)(?::|=)\\s*\\"?#1e4ca1[^>]*>'
    body.html.raw matches 'b(?:ackground(?:-color)?|g?color)(?::|=)\\s*\\"?#(?:214e9f|3260a7|0056b3|1e4ca1|214395|325bb8|3c60ad)'
- all of:
  - body.current_thread.text contains 'Docusign'
  - any of:
    
    body.html.raw matches '<title>[^<]*Easearch[^<]*</title>'
    body.html.raw matches '<spacing>[^<]*(?:Docusign|Document)'
    body.html.raw matches '{(?:domain|randomNumber\\d?)}'
any of:
- any of filter(body.links) where all hold:
  - not:
    
    .href_url.domain.root_domain in ('docusign.com', 'docusign.net', 'docusign.co.uk', 'docusign.com.br', 'docusign.fr', 'insuresign.com', 'clixsign.com', 'esignlive.com', 'clickcontracts.com', 'adobesign.com', 'hellosign.com')
  - not:
    
    all of:
    
    .href_url.domain.root_domain is 'mimecastprotect.com'
    all of:
    
    .href_url.query_params is set
    .href_url.query_params matches any of 2 patterns
    
    domain=(?:\w+\.)?docusign.(?:net|com|co\.uk|com\.br|fr)
    domain=(?:\w+\.)?(?:insuresign\.com|clixsign\.com|esignlive\.com|clickcontracts\.com|adobesign\.com|hellosign\.com)
- any of attachments where all hold:
  - any of:
    
    .file_extension in ('html', 'htm', 'shtml', 'dhtml')
    .file_extension in $file_extensions_common_archives
    .file_type is 'html'
    .content_type is 'text/html'
  - at least 1 of:
    
    all of:
    
    file.parse_html(.).raw matches '\\s{0,}<script.*'
    file.parse_html(.).raw matches '</script>'
    file.parse_html(.).raw matches any of 3 patterns
    
    *createElement*
    *appendChild*
    *createObjectURL*
    strings.icount(file.parse_html(.).raw, '/*') > 10
    any of $free_subdomain_hosts where:
    
    strings.icontains(.file_name)
not:
- all of:
  - sender.email.domain.root_domain in $high_trust_sender_root_domains
  - coalesce(headers.auth_summary.dmarc.pass)
not:
- all of:
  - any of headers.domains where:
    
    .root_domain is 'docusign.net'
  - headers.auth_summary.spf.pass
  - headers.auth_summary.dmarc.pass
not:
- all of:
  - any of headers.hops where:
    
    any of .fields where all hold:
    
    .name is 'X-Api-Host'
    .value ends with 'docusign.net'
  - sender.display_name contains 'via'

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_name, attachments[].file_type, body.current_thread.text, body.html, body.html.inner_text, body.html.raw, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.path, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.domains, headers.domains[].root_domain, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, headers.references, sender.display_name, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: file.parse_html, html.xpath, regex.icontains, regex.iextract, regex.imatch, strings.contains, strings.ends_with, strings.icontains, strings.icount, strings.iends_with, strings.ilevenshtein, strings.ilike, strings.istarts_with. Reference lists: $file_extensions_common_archives, $free_subdomain_hosts, $high_trust_sender_root_domains.

Indicators matched (157)

Field	Match	Value
`strings.ilike`	substring	`docusign.net`
`strings.ilike`	substring	`docusign.com`
`strings.ilike`	substring	`docusign`
`strings.ilevenshtein`	fuzzy	`docusign`
`strings.ilike`	substring	`docuonline`
`strings.ilike`	substring	`via signature*`
`strings.istarts_with`	prefix	`docusign`
`regex.icontains`	regex	`\bdocu.?sign\b`
`strings.istarts_with`	prefix	`DOCUSIGN\n`
`regex.icontains`	regex	`You(?:'ve\| have) received a ([^\\s]+\\s)?document`
`strings.icontains`	substring	`a document to review and sign`
`strings.icontains`	substring	`A document is available for you`

145 more

`strings.icontains`	substring	`a document ready for you`
`strings.icontains`	substring	`This email contains a secure link to DocuSign`
`strings.icontains`	substring	`All parties have completed with Docusign`
`strings.icontains`	substring	`the signing of this document has been completed`
`strings.icontains`	substring	`Please use the link above to Docusign`
`strings.icontains`	substring	`Review on Docusign`
`strings.icontains`	substring	`Completed with Docusign`
`strings.icontains`	substring	`Completed on Docusign`
`strings.icontains`	substring	`Complete with Docusign`
`strings.icontains`	substring	`please review and complete with DocuSign`
`strings.icontains`	substring	`We appreciate you choosing DocuSign`
`strings.icontains`	substring	`A document has been sent to you for`
`strings.icontains`	substring	`Please Sign docusign`
`strings.icontains`	substring	`This email was sent via DocuSign`
`strings.icontains`	substring	`This email was sent to you via DocuSign`
`strings.icontains`	substring	`This message was sent via DocuSign`
`strings.icontains`	substring	`This message was sent to you via DocuSign`
`strings.icontains`	substring	`review via DocuSign Electronic Signature`
`strings.icontains`	substring	`sent to you by DocuSign`
`strings.icontains`	substring	`Processed by DocuSign`
`strings.icontains`	substring	`Please read and sign the document`
`strings.icontains`	substring	`Please kindly review and sign the`
`strings.icontains`	substring	`Your document is pending review and signature`
`strings.icontains`	substring	`pending document for your signature`
`strings.icontains`	substring	`your review and signature`
`strings.icontains`	substring	`a pending document for`
`strings.icontains`	substring	`Your document is ready`
`strings.icontains`	substring	`This email is automatically generated by DocuSign`
`strings.icontains`	substring	`Your document has been completed`
`regex.icontains`	regex	`Review\s(?:and\s\|&\s*)Sign.{0,40}docusign`
`regex.icontains`	regex	`docusign.{0,40}Review\s(?:and\s\|&\s*)Sign`
`regex.icontains`	regex	`Sign\s(?:and\s\|&\s*)Return.{0,40}docusign`
`regex.icontains`	regex	`Sign\s(?:and\s\|&\s*)Return.docusign.{0,40}`
`strings.icontains`	substring	`complete with docusign`
`strings.icontains`	substring	`signature request`
`regex.icontains`	regex	`Review\s(?:and\s\|&\s*)Sign`
`regex.icontains`	regex	`Sign\s(?:and\s\|&\s*)Return`
`strings.icontains`	substring	`Please Docusign`
`strings.icontains`	substring	`Docusign has sent`
`strings.iends_with`	suffix	`docusign.net`
`regex.imatch`	regex	`[0-9a-f]{32}@(?:[^\.]+\.)?docusign.net`
`regex.icontains`	regex	`\bdocu\b`
`strings.icontains`	substring	`sign`
`regex.icontains`	regex	`Powered by.{0,6}(?:\s<\/?[^\>]+\>\s)+<img[^\>]+(?:src="https:\/\/docucdn-a\.akamaihd\.net\/[^\"]+email-logo.png"\|alt="DocuSign")`
`regex.icontains`	regex	`Powered by\s*DocuSign`
`strings.icontains`	substring	`Powered by`
`strings.icontains`	substring	`using the Docusign Electronic Signature Service`
`strings.icontains`	substring	`who uses the DocuSign Electronic Signature Service`
`strings.icontains`	substring	`Thank you for choosing DocuSign`
`strings.icontains`	substring	`Alternate Signing Method`
`strings.icontains`	substring	`Alternative Access`
`regex.icontains`	regex	`(?:Click\|Select) 'Access Documents', and enter`
`strings.icontains`	substring	`Please do not share this email, link, or access code with others`
`sender.email.domain.root_domain`	member	`insuresign.com`
`sender.email.domain.root_domain`	member	`clixsign.com`
`sender.email.domain.root_domain`	member	`esignlive.com`
`sender.email.domain.root_domain`	member	`clickcontracts.com`
`sender.email.domain.root_domain`	member	`sadq.sa`
`sender.email.domain.root_domain`	member	`vasion.com`
`sender.email.domain.root_domain`	member	`chubb.com`
`strings.icontains`	substring	`Docusign provides a`
`strings.icontains`	substring	`solution for Digital Transaction Management`
`strings.icontains`	substring	`a secure link to DocuSign`
`body.links[].href_url.domain.domain`	equals	`support.docusign.com`
`strings.contains`	substring	`/articles/`
`body.links[].href_url.domain.domain`	equals	`community.docusign.com`
`body.links[].href_url.domain.domain`	equals	`protect.docusign.com`
`body.links[].href_url.domain.domain`	equals	`app.esign.docusign.com`
`strings.icontains`	substring	`Declining to sign`
`strings.icontains`	substring	`Managing notifications`
`strings.icontains`	substring	`How to Sign a Document`
`strings.icontains`	substring	`Docusign Support Center`
`strings.icontains`	substring	`Report this email`
`strings.icontains`	substring	`Docusign Community`
`strings.icontains`	substring	`Connect with our support team`
`strings.icontains`	substring	`Unsubscribe`
`strings.icontains`	substring	`Manage Preferences`
`regex.icontains`	regex	`<font size="?[0-9]"?[^\>]*>DocuSign</font>`
`regex.icontains`	regex	`\nDocu(?:<[^\>]+>\s*)+Sign<`
`regex.icontains`	regex	`<span[^>]style="[^"]">Docu.?Sign<\/span>`
`regex.icontains`	regex	`Docu.?Sign`
`regex.icontains`	regex	`<span[^>]style="[^"]">(Docu\|D(?:ocu?)?)<\/span>(?:<[^\>]+\>){0,2}<span[^>]style="[^"]">(Sign\|S(?:ign?)?)<\/span>`
`regex.imatch`	regex	`Docu.?Sign`
`regex.icontains`	regex	`^docu.?sign`
`strings.icontains`	substring	`Docusign`
`html.xpath(body.html, '//img/@alt').nodes[].raw`	equals	`docusign`
`regex.iextract`	regex	`(?:D\|D\|D)(?:&#?[0-9a-fA-F]{2,6};\|\s\|o\|о\|о\|о)(?:&#?[0-9a-fA-F]{2,6};\|\s\|c\|с\|с\|с)u(?:&#?[0-9a-fA-F]{2,6};\|\s)?S(?:&#?[0-9a-fA-F]{2,6};\|\s\|i\|і\|і\|і)(?:&#?[0-9a-fA-F]{2,6};\|\s\|g\|ɡ\|ɡ\|ɡ)(?:n\|n\|n)`
`regex.iextract`	regex	`(?:[DⅮᎠᗞᗡ𝐃𝐷𝑫𝒟𝓓𝔇𝔻𝕯𝖣])\s(?:[oοоօ0Ооʘ◯])\s(?:[cсçҫ¢ϲС])\su\s(?:[sѕЅ5$])\s(?:[iіІ1l!\|])\s(?:[gǵġģ9ɡ])\s*(?:[nոռℼη𝐧𝑛𝒏𝓃𝓷𝔫𝕟𝖓])`
`regex.iextract`	regex	`(?:D\|D\|D)(?:o\|о\|o\|o\|о\|о\|ο\|ο)(?:c\|с\|c\|c\|с\|с\|ϲ\|ç\|g\|ĉ\|ĉ)(?:u\|u\|u\|у\|у\|υ\|υ)(?:s\|s\|s\|ѕ\|ѕ)(?:i\|і\|i\|i\|і\|і\|ı\|ı)(?:g\|g\|g\|ɡ\|ɡ\|ğ\|ğ)(?:n\|n\|n\|н\|н\|η\|η)`
`regex.iextract`	regex	`D(?:&#[0-9]{1,7};)\p{Mn}o(?:&#[0-9]{1,7};)\p{Mn}c(?:&#[0-9]{1,7};)\p{Mn}u(?:&#[0-9]{1,7};)\p{Mn}[Ss](?:&#[0-9]{1,7};)\p{Mn}i(?:&#[0-9]{1,7};)\p{Mn}g(?:&#[0-9]{1,7};)\p{Mn}n`
`regex.icontains`	regex	`b(?:ackground(?:-color)?\|g?color):\srgb$30,\s76,\s*161$`
`regex.icontains`	regex	`b(?:ackground(?:-color)?\|g?color):\srgb$61,\s170,\s*73$`
`regex.icontains`	regex	`<(?:div\|td\|table)[^>]b(?:ackground(?:-color)?\|g?color)(?::\|=)\s\"?#1e4ca1[^>]*>`
`regex.icontains`	regex	`b(?:ackground(?:-color)?\|g?color)(?::\|=)\s*\"?#(?:214e9f\|3260a7\|0056b3\|1e4ca1\|214395\|325bb8\|3c60ad)`
`regex.icontains`	regex	`<title>[^<]Easearch[^<]</title>`
`regex.icontains`	regex	`<spacing>[^<]*(?:Docusign\|Document)`
`regex.icontains`	regex	`{(?:domain\|randomNumber\d?)}`
`strings.ilevenshtein`	fuzzy	`Review Now`
`strings.ilevenshtein`	fuzzy	`Review and Sign`
`strings.icontains`	substring	`Review`
`strings.icontains`	substring	`Review Us`
`strings.icontains`	substring	`leave us a review`
`regex.icontains`	regex	`\bReviews\b`
`strings.icontains`	substring	`Review Message`
`body.links[].href_url.domain.domain`	equals	`security.microsoft.com`
`body.links[].href_url.path`	equals	`/quarantine`
`strings.icontains`	substring	`document`
`strings.icontains`	substring	`docusign`
`strings.icontains`	substring	`view form`
`strings.icontains`	substring	`Sign`
`regex.icontains`	regex	`(?:in\b\|now)`
`strings.icontains`	substring	`Download`
`strings.icontains`	substring	`File`
`strings.icontains`	substring	`Document`
`strings.icontains`	substring	`complete tasks`
`strings.icontains`	substring	`View and complete`
`filter(body.links)[].href_url.domain.root_domain`	member	`docusign.com`
`filter(body.links)[].href_url.domain.root_domain`	member	`docusign.net`
`filter(body.links)[].href_url.domain.root_domain`	member	`docusign.co.uk`
`filter(body.links)[].href_url.domain.root_domain`	member	`docusign.com.br`
`filter(body.links)[].href_url.domain.root_domain`	member	`docusign.fr`
`filter(body.links)[].href_url.domain.root_domain`	member	`insuresign.com`
`filter(body.links)[].href_url.domain.root_domain`	member	`clixsign.com`
`filter(body.links)[].href_url.domain.root_domain`	member	`esignlive.com`
`filter(body.links)[].href_url.domain.root_domain`	member	`clickcontracts.com`
`filter(body.links)[].href_url.domain.root_domain`	member	`adobesign.com`
`filter(body.links)[].href_url.domain.root_domain`	member	`hellosign.com`
`filter(body.links)[].href_url.domain.root_domain`	equals	`mimecastprotect.com`
`regex.icontains`	regex	`domain=(?:\w+\.)?docusign.(?:net\|com\|co\.uk\|com\.br\|fr)`
`regex.icontains`	regex	`domain=(?:\w+\.)?(?:insuresign\.com\|clixsign\.com\|esignlive\.com\|clickcontracts\.com\|adobesign\.com\|hellosign\.com)`
`attachments[].file_extension`	member	`html`
`attachments[].file_extension`	member	`htm`
`attachments[].file_extension`	member	`shtml`
`attachments[].file_extension`	member	`dhtml`
`attachments[].file_type`	equals	`html`
`attachments[].content_type`	equals	`text/html`
`regex.icontains`	regex	`\s{0,}<script.*`
`regex.icontains`	regex	`</script>`
`strings.ilike`	substring	`createElement`
`strings.ilike`	substring	`appendChild`
`strings.ilike`	substring	`createObjectURL`
`headers.domains[].root_domain`	equals	`docusign.net`
`headers.hops[].fields[].name`	equals	`X-Api-Host`
`strings.ends_with`	suffix	`docusign.net`
`strings.contains`	substring	`via`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)