EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Service abuse: DocuSign notification with suspicious sender or document name

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

MITRE ATT&CK

T1566.003T1598T1566.002T1534T1656T1036T1027T1566
defense-evasioninitial-access

Detection Query

type.inbound
and length(attachments) == 0

// Legitimate Docusign sending infratructure
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(headers.reply_to) > 0
and not any(headers.reply_to,
            .email.domain.domain in $org_domains
            or .email.domain.root_domain in $high_trust_sender_root_domains
            or .email.domain.root_domain in ("docusign.net", "docusign.com")
)
// 
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
// 

// reply-to address has never sent an email to the org
and beta.profile.by_reply_to().prevalence == "new"

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

// not a completed DocuSign
// reminders are sent automatically and can be just as malicious as the initial
// users often decline malicious ones
and not strings.istarts_with(subject.subject, "Completed: ")
and not strings.istarts_with(subject.subject, "Here is your signed document: ")
and not strings.istarts_with(subject.subject, "Voided: ")
and (
  // contains the word docusign before the `via Docusign` part
  regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
  or strings.icontains(subject.subject, 'sharefile')
  or strings.icontains(subject.subject, 'helloshare')

  // sender names part of the subject
  or (
    // Billing Accounting
    regex.icontains(sender.display_name,
                    'Accounts? (?:Payable|Receivable).*via Docusign$',
                    'Billing Support.*via Docusign$'
    )

    // HR/Payroll/Legal/etc
    or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
    or regex.icontains(sender.display_name,
                       '(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
    )
    or regex.icontains(sender.display_name,
                       'Corporate Communications.*via Docusign$'
    )
    or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
    or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
    or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
    or regex.icontains(sender.display_name,
                       'Payroll Admin(?:istrator).*via Docusign$'
    )

    // IT related
    or regex.icontains(sender.display_name,
                       'IT Support.*via Docusign$',
                       'Information Technology.*via Docusign$',
                       '(?:Network|System)? Admin(?:istrator).*via Docusign$',
                       'Help Desk.*via Docusign$',
                       'Tech(?:nical) Support.*via Docusign$'
    )
  )
  // filename analysis
  // the filename is also contained in the subject line
  or (
    // scanner themed
    regex.icontains(subject.subject, 'scanne[rd]')
    // image theme
    or regex.icontains(subject.subject, '_IMG_')
    or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')

    // Invoice Themes
    or regex.icontains(subject.subject, 'Invoice')
    or regex.icontains(subject.subject, 'INV\b')
    or regex.icontains(subject.subject, 'Payment')
    or regex.icontains(subject.subject, '\bACH\b')
    or regex.icontains(subject.subject, 'Wire Confirmation')
    or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
    or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
    or regex.icontains(subject.subject, 'receipt')
    or regex.icontains(subject.subject, 'Billing')
    or regex.icontains(subject.subject, 'statement')
    or regex.icontains(subject.subject, 'Past Due')
    or regex.icontains(subject.subject, 'Remit(?:tance)?')
    or regex.icontains(subject.subject, 'Purchase Order')
    or regex.icontains(subject.subject, 'Settlementt')

    // contract language
    or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
    or regex.icontains(subject.subject, 'Claim Doc')

    // Payroll/HR
    or regex.icontains(subject.subject, 'Payroll')
    or regex.icontains(subject.subject, 'Employee Pay\b')
    or regex.icontains(subject.subject, 'Salary')
    or regex.icontains(subject.subject, 'Benefit Enrollment')
    or regex.icontains(subject.subject, 'Employee Handbook')
    or regex.icontains(subject.subject, 'Reimbursement Approved')

    // 
    // shared files/extenstion/urgency/CTA
    or regex.icontains(subject.subject, 'Urgent')
    or regex.icontains(subject.subject, 'Important')
    or regex.icontains(subject.subject, 'Secure')
    or regex.icontains(subject.subject, 'Encrypt')
    or regex.icontains(subject.subject, 'shared')
    or regex.icontains(subject.subject, 'protected')
    or regex.icontains(subject.subject, 'Validate')
    or regex.icontains(subject.subject, 'Action Required')
    or regex.icontains(subject.subject, 'Final Notice')
    or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
    or regex.icontains(subject.subject, 'Download PDF')

    // MFA theme
    or regex.icontains(subject.subject, 'Verification Code')
    or regex.icontains(subject.subject, '\bMFA\b')
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Service abuse: DocuSign notification with suspicious sender or document name"
description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(attachments) == 0
  
  // Legitimate Docusign sending infratructure
  and sender.email.domain.root_domain == 'docusign.net'
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
  and length(headers.reply_to) > 0
  and not any(headers.reply_to,
              .email.domain.domain in $org_domains
              or .email.domain.root_domain in $high_trust_sender_root_domains
              or .email.domain.root_domain in ("docusign.net", "docusign.com")
  )
  // 
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  // 
  
  // reply-to address has never sent an email to the org
  and beta.profile.by_reply_to().prevalence == "new"
  
  // reply-to email address has never been sent an email by the org
  and not beta.profile.by_reply_to().solicited
  
  // do not match if the reply_to address has been observed as a reply_to address
  // of a message that has been classified as benign
  and not beta.profile.by_reply_to().any_messages_benign
  
  // not a completed DocuSign
  // reminders are sent automatically and can be just as malicious as the initial
  // users often decline malicious ones
  and not strings.istarts_with(subject.subject, "Completed: ")
  and not strings.istarts_with(subject.subject, "Here is your signed document: ")
  and not strings.istarts_with(subject.subject, "Voided: ")
  and (
    // contains the word docusign before the `via Docusign` part
    regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
    or strings.icontains(subject.subject, 'sharefile')
    or strings.icontains(subject.subject, 'helloshare')
  
    // sender names part of the subject
    or (
      // Billing Accounting
      regex.icontains(sender.display_name,
                      'Accounts? (?:Payable|Receivable).*via Docusign$',
                      'Billing Support.*via Docusign$'
      )
  
      // HR/Payroll/Legal/etc
      or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
      or regex.icontains(sender.display_name,
                         '(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
      )
      or regex.icontains(sender.display_name,
                         'Corporate Communications.*via Docusign$'
      )
      or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
      or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
      or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
      or regex.icontains(sender.display_name,
                         'Payroll Admin(?:istrator).*via Docusign$'
      )
  
      // IT related
      or regex.icontains(sender.display_name,
                         'IT Support.*via Docusign$',
                         'Information Technology.*via Docusign$',
                         '(?:Network|System)? Admin(?:istrator).*via Docusign$',
                         'Help Desk.*via Docusign$',
                         'Tech(?:nical) Support.*via Docusign$'
      )
    )
    // filename analysis
    // the filename is also contained in the subject line
    or (
      // scanner themed
      regex.icontains(subject.subject, 'scanne[rd]')
      // image theme
      or regex.icontains(subject.subject, '_IMG_')
      or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')
  
      // Invoice Themes
      or regex.icontains(subject.subject, 'Invoice')
      or regex.icontains(subject.subject, 'INV\b')
      or regex.icontains(subject.subject, 'Payment')
      or regex.icontains(subject.subject, '\bACH\b')
      or regex.icontains(subject.subject, 'Wire Confirmation')
      or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
      or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
      or regex.icontains(subject.subject, 'receipt')
      or regex.icontains(subject.subject, 'Billing')
      or regex.icontains(subject.subject, 'statement')
      or regex.icontains(subject.subject, 'Past Due')
      or regex.icontains(subject.subject, 'Remit(?:tance)?')
      or regex.icontains(subject.subject, 'Purchase Order')
      or regex.icontains(subject.subject, 'Settlementt')
  
      // contract language
      or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
      or regex.icontains(subject.subject, 'Claim Doc')
  
      // Payroll/HR
      or regex.icontains(subject.subject, 'Payroll')
      or regex.icontains(subject.subject, 'Employee Pay\b')
      or regex.icontains(subject.subject, 'Salary')
      or regex.icontains(subject.subject, 'Benefit Enrollment')
      or regex.icontains(subject.subject, 'Employee Handbook')
      or regex.icontains(subject.subject, 'Reimbursement Approved')
  
      // 
      // shared files/extenstion/urgency/CTA
      or regex.icontains(subject.subject, 'Urgent')
      or regex.icontains(subject.subject, 'Important')
      or regex.icontains(subject.subject, 'Secure')
      or regex.icontains(subject.subject, 'Encrypt')
      or regex.icontains(subject.subject, 'shared')
      or regex.icontains(subject.subject, 'protected')
      or regex.icontains(subject.subject, 'Validate')
      or regex.icontains(subject.subject, 'Action Required')
      or regex.icontains(subject.subject, 'Final Notice')
      or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
      or regex.icontains(subject.subject, 'Download PDF')
  
      // MFA theme
      or regex.icontains(subject.subject, 'Verification Code')
      or regex.icontains(subject.subject, '\bMFA\b')
    )
  )

attack_types:
  - "Callback Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
  - "Header analysis"
  - "Content analysis"
id: "5e4707cd-1953-5fe2-9a62-34e3026f0336"