← Back to Explore
sublimehighRule
Link: Multistage landing - Abused Docusign
The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Detection Query
type.inbound
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
// filter out all the links, keeping only the links of interest
and any(filter(body.links,
// target the DocuSign link
(
regex.icontains(.display_text,
"((view|show).completed.document|(?:re)?view doc|view.attached)"
)
or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
or strings.icontains(.href_url.url, '/signing/emails/v')
)
),
// filter down the links on the docusign page to those that are external to docusign
any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
.href_url.domain.root_domain != 'docusign.net'
and .href_url.domain.root_domain != 'docusign.com'
and .href_url.domain.root_domain not in $org_domains
// relative links (no domains)
and .href_url.domain.domain is not null
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(., mode="aggressive").redirect_history
) > 0
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Multistage landing - Abused Docusign"
description: "The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
type: "rule"
severity: "high"
source: |
type.inbound
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
// filter out all the links, keeping only the links of interest
and any(filter(body.links,
// target the DocuSign link
(
regex.icontains(.display_text,
"((view|show).completed.document|(?:re)?view doc|view.attached)"
)
or strings.icontains(.href_url.url, '/Signing/EmailStart.aspx')
or strings.icontains(.href_url.url, '/signing/emails/v')
)
),
// filter down the links on the docusign page to those that are external to docusign
any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
.href_url.domain.root_domain != 'docusign.net'
and .href_url.domain.root_domain != 'docusign.com'
and .href_url.domain.root_domain not in $org_domains
// relative links (no domains)
and .href_url.domain.domain is not null
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(., mode="aggressive").redirect_history
) > 0
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free subdomain host"
- "Free file host"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
- "Whois"
- "HTML analysis"
id: "4189a645-04a5-5bdb-bf00-031442ced292"