← Back to Explore
sublimehighRule
Brand impersonation: DocuSign (QR code)
Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Detection Query
type.inbound
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(ml.logo_detect(.).brands,
.name == "DocuSign" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "DocuSign"
)
)
and (
any(file.explode(.),
(
(
.scan.qr.type is not null
and regex.contains(.scan.qr.data, '\.')
)
or
// QR code language
(
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
// exclude images taken with mobile cameras and screenshots from android
and not any(.scan.exiftool.fields,
.key == "Model"
or (
.key == "Software"
and strings.starts_with(.value, "Android")
)
)
// exclude images taken with mobile cameras and screenshots from Apple
and not any(.scan.exiftool.fields,
.key == "DeviceManufacturer"
and .value == "Apple Computer Inc."
)
)
)
)
and not (
sender.email.domain.root_domain in ("docusign.net", "docusign.com")
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: DocuSign (QR code)"
description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(ml.logo_detect(.).brands,
.name == "DocuSign" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "DocuSign"
)
)
and (
any(file.explode(.),
(
(
.scan.qr.type is not null
and regex.contains(.scan.qr.data, '\.')
)
or
// QR code language
(
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
// exclude images taken with mobile cameras and screenshots from android
and not any(.scan.exiftool.fields,
.key == "Model"
or (
.key == "Software"
and strings.starts_with(.value, "Android")
)
)
// exclude images taken with mobile cameras and screenshots from Apple
and not any(.scan.exiftool.fields,
.key == "DeviceManufacturer"
and .value == "Apple Computer Inc."
)
)
)
)
and not (
sender.email.domain.root_domain in ("docusign.net", "docusign.com")
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "PDF"
- "QR code"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Header analysis"
- "QR code analysis"
- "Sender analysis"
id: "0b16c28a-3f7e-5a90-bea5-473198424431"