EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand impersonation: DocuSign PDF attachment with suspicious link

This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
and any(attachments,
        .file_type == "pdf"
        and any(ml.logo_detect(.).brands, .name == "DocuSign")
        and any(file.explode(.),
                length(.scan.url.urls) <= 9
                and any(.scan.url.urls,
                        .domain.root_domain not in $tranco_1m
                        and .domain.root_domain not in $org_domains
                        and .domain.root_domain != "sublimesecurity.com"
                        and not strings.ilike(.domain.root_domain, "docusign.*")
                )
        )
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    .name == "org" and .text == "DocuSign"
                )
        )
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    .name == "request"
                )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: DocuSign PDF attachment with suspicious link"
description: "This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          .file_type == "pdf"
          and any(ml.logo_detect(.).brands, .name == "DocuSign")
          and any(file.explode(.),
                  length(.scan.url.urls) <= 9
                  and any(.scan.url.urls,
                          .domain.root_domain not in $tranco_1m
                          and .domain.root_domain not in $org_domains
                          and .domain.root_domain != "sublimesecurity.com"
                          and not strings.ilike(.domain.root_domain, "docusign.*")
                  )
          )
          and any(file.explode(.),
                  any(ml.nlu_classifier(.scan.ocr.raw).entities,
                      .name == "org" and .text == "DocuSign"
                  )
          )
          and any(file.explode(.),
                  any(ml.nlu_classifier(.scan.ocr.raw).entities,
                      .name == "request"
                  )
          )
  )
  
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "PDF"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "URL analysis"
id: "2601cbb7-0a07-5289-a32f-68c0db3c3170"