DocuSign impersonation via CloudHQ links

name: "DocuSign impersonation via CloudHQ links"
description: "Identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.root_domain == "cloudhq.net"
          and strings.starts_with(.href_url.path, "/s/")
          and sender.email.domain.root_domain != 'cloudhq.net'
  )
  
  // the subject or display_name includes docusign
  and (
    regex.icontains(strings.replace_confusables(subject.subject),
                    '\bdocu\s*sign\b'
    )
    or regex.icontains(strings.replace_confusables(sender.display_name),
                       '\bdocu\s*sign\b'
    )
  )
  
  // there is one unique cloudhq link in the message
  and length(distinct(filter(body.links,
                             .href_url.domain.root_domain == "cloudhq.net"
                      ),
                      .href_url.url
             )
  ) <= 1

attack_types:
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Free file host"
detection_methods:
  - "Header analysis"
  - "URL analysis"
  - "Content analysis"
  - "Sender analysis"
id: "44ba2fee-fe36-5a53-9da8-febecab405f6"