EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Service abuse: DocuSign share from an unsolicited reply-to address

DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound

// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)

// not a completed DocuSign
// reminders are sent automatically and can be just as malicious as the initial
// users often decline malicious ones
and not strings.istarts_with(subject.subject, "Completed: ")
and not strings.istarts_with(subject.subject, "Here is your signed document: ")
and not strings.istarts_with(subject.subject, "Voided: ")

// 
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
// 

// reply-to address rarely seen in org
and beta.profile.by_reply_to().prevalence in~ ("new", "rare")

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Service abuse: DocuSign share from an unsolicited reply-to address"
description: "DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // message is from docusign actual
  and sender.email.domain.root_domain == 'docusign.net'
  and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
  
  // not a completed DocuSign
  // reminders are sent automatically and can be just as malicious as the initial
  // users often decline malicious ones
  and not strings.istarts_with(subject.subject, "Completed: ")
  and not strings.istarts_with(subject.subject, "Here is your signed document: ")
  and not strings.istarts_with(subject.subject, "Voided: ")
  
  // 
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  // 
  
  // reply-to address rarely seen in org
  and beta.profile.by_reply_to().prevalence in~ ("new", "rare")
  
  // reply-to email address has never been sent an email by the org
  and not beta.profile.by_reply_to().solicited
  
  // do not match if the reply_to address has been observed as a reply_to address
  // of a message that has been classified as benign
  and not beta.profile.by_reply_to().any_messages_benign
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Free file host"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "2f12d616-f47a-5259-8946-ac2e01940f6f"