← Back to Explore
sublimemediumRule
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.
Detection Query
type.inbound
and length(attachments) == 0
and (
0 < length(body.links) < 10
// ignore link count when the HTML is padded with whitespace
// indicative of thread hijacking/copy-pasting
or regex.icount(body.html.raw, '(<br\s*/?>[\s\n]*)') > 50
)
and (
regex.icontains(body.html.raw, '<font size="[0-9]">DocuSign</font>')
or regex.icontains(body.html.raw, '<span[^>]*style="[^"]*">DocuSign<\/span>')
or regex.icontains(body.html.raw, '<strong>DocuSign</strong>')
or regex.icontains(body.html.raw,
'D󠀤󠀤o󠀤󠀤c\x{FE00}uS󠀤󠀤i\x{FE00}gn'
)
or any(body.links, regex.icontains(.display_text, 'view.{0,3}doc'))
or any(body.links, regex.contains(.display_text, '\bDOCUMENT'))
)
and (
regex.icontains(body.html.raw, 'background:\s*rgb\(30,\s*76,\s*161\)')
or regex.icontains(body.html.raw,
'background-color:\s*rgb\(30,\s*76,\s*161\)'
)
or regex.icontains(body.html.raw,
'background-color:\s*rgb\(61,\s*170,\s*73\)'
)
or regex.icontains(body.html.raw,
'<div[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>|<td[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>'
)
or regex.icontains(body.html.raw, 'background-color:#214e9f;')
or regex.icontains(body.html.raw, 'background-color:#3260a7')
or regex.icontains(body.html.raw,
'<table[^>]*cellspacing="0"[^>]*cellpadding="0"[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*<td[^>]*style="BACKGROUND:\s*rgb\(247,247,247\);\s*width:\s*[0-9]{2,3}px;\s*padding:20px;\s*margin:\s*[0-9]{2,3}px"[^>]*>.*<div[^>]*style="BACKGROUND:\s*rgb\(30,76,161\);\s*padding:[0-9]{2,3}px;\s*color:#EFEFEF"[^>]*align="center"[^>]*>.*DOCUMENT.*</a>'
)
// Docusign Blue Box template with button
or (
regex.icontains(body.html.raw,
'<(td|div)[^>]*style="[^"]*background(-color)?:\s*(#1e4ca1|rgb\(30,\s*76,\s*161\))[^"]*"[^>]*>'
)
and (
regex.icontains(body.html.raw,
'<a[^>]*style="[^"]*background-color:\s*(#[A-Fa-f0-9]{6}|rgb\([^)]*\))[^"]*"[^>]*>.*?<span[^>]*>.*?<\/span>.*?<\/a>'
)
// white link with a border
or (
regex.icontains(body.html.raw,
'<a[^>]*style="[^"]*color:\s*(white|#fff|#ffffff|#FFF|#FFFFFF|rgb\(\s*255\s*,\s*255\s*,\s*255\s*\)|rgba\(\s*255\s*,\s*255\s*,\s*255\s*,\s*[0-9.]+\s*\)|rgb\(\s*100%\s*,\s*100%\s*,\s*100%\s*\))[^"]*"[^>]*>.*?<\/a>'
)
and regex.icontains(body.html.raw,
'<a[^>]*style="[^"]*border:[^"]*"[^>]*>.*?<\/a>'
)
)
)
)
)
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (
.display_text is null or regex.contains(.display_text, '\bDOCUMENT')
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and not profile.by_sender().any_messages_benign
// negate docusign X-Return-Path
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Return-Path"
and strings.ends_with(.value, "docusign.net")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains"
description: "Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) == 0
and (
0 < length(body.links) < 10
// ignore link count when the HTML is padded with whitespace
// indicative of thread hijacking/copy-pasting
or regex.icount(body.html.raw, '(<br\s*/?>[\s\n]*)') > 50
)
and (
regex.icontains(body.html.raw, '<font size="[0-9]">DocuSign</font>')
or regex.icontains(body.html.raw, '<span[^>]*style="[^"]*">DocuSign<\/span>')
or regex.icontains(body.html.raw, '<strong>DocuSign</strong>')
or regex.icontains(body.html.raw,
'D󠀤󠀤o󠀤󠀤c\x{FE00}uS󠀤󠀤i\x{FE00}gn'
)
or any(body.links, regex.icontains(.display_text, 'view.{0,3}doc'))
or any(body.links, regex.contains(.display_text, '\bDOCUMENT'))
)
and (
regex.icontains(body.html.raw, 'background:\s*rgb\(30,\s*76,\s*161\)')
or regex.icontains(body.html.raw,
'background-color:\s*rgb\(30,\s*76,\s*161\)'
)
or regex.icontains(body.html.raw,
'background-color:\s*rgb\(61,\s*170,\s*73\)'
)
or regex.icontains(body.html.raw,
'<div[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>|<td[^>]*BACKGROUND-COLOR: #1e4ca1[^>]*>'
)
or regex.icontains(body.html.raw, 'background-color:#214e9f;')
or regex.icontains(body.html.raw, 'background-color:#3260a7')
or regex.icontains(body.html.raw,
'<table[^>]*cellspacing="0"[^>]*cellpadding="0"[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*<td[^>]*style="BACKGROUND:\s*rgb\(247,247,247\);\s*width:\s*[0-9]{2,3}px;\s*padding:20px;\s*margin:\s*[0-9]{2,3}px"[^>]*>.*<div[^>]*style="BACKGROUND:\s*rgb\(30,76,161\);\s*padding:[0-9]{2,3}px;\s*color:#EFEFEF"[^>]*align="center"[^>]*>.*DOCUMENT.*</a>'
)
// Docusign Blue Box template with button
or (
regex.icontains(body.html.raw,
'<(td|div)[^>]*style="[^"]*background(-color)?:\s*(#1e4ca1|rgb\(30,\s*76,\s*161\))[^"]*"[^>]*>'
)
and (
regex.icontains(body.html.raw,
'<a[^>]*style="[^"]*background-color:\s*(#[A-Fa-f0-9]{6}|rgb\([^)]*\))[^"]*"[^>]*>.*?<span[^>]*>.*?<\/span>.*?<\/a>'
)
// white link with a border
or (
regex.icontains(body.html.raw,
'<a[^>]*style="[^"]*color:\s*(white|#fff|#ffffff|#FFF|#FFFFFF|rgb\(\s*255\s*,\s*255\s*,\s*255\s*\)|rgba\(\s*255\s*,\s*255\s*,\s*255\s*,\s*[0-9.]+\s*\)|rgb\(\s*100%\s*,\s*100%\s*,\s*100%\s*\))[^"]*"[^>]*>.*?<\/a>'
)
and regex.icontains(body.html.raw,
'<a[^>]*style="[^"]*border:[^"]*"[^>]*>.*?<\/a>'
)
)
)
)
)
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (
.display_text is null or regex.contains(.display_text, '\bDOCUMENT')
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and not profile.by_sender().any_messages_benign
// negate docusign X-Return-Path
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Return-Path"
and strings.ends_with(.value, "docusign.net")
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "HTML analysis"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "28923dde-09fc-5b49-8263-ed2ab41b5c08"