← Back to Explore
sublimelowRule
Service abuse: HelloSign from an unsolicited sender address
Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.
Detection Query
type.inbound
and sender.email.domain.domain == "mail.hellosign.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and (
// extract the sender out of the body html template
(
// if the sender_email is available in the body
regex.icontains(body.html.raw,
'<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\)]+)\).*?</th>'
)
// check that the sender email has not been observed previously
and all(regex.iextract(body.html.raw,
'<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\).*?</th>'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
// extract the sender out of header hops if it's there
or any(headers.hops,
any(.fields,
.name == "X-Mailgun-Variables"
and strings.icontains(.value, 'on_behalf_of_email')
and all(regex.iextract(.value,
'\"on_behalf_of_email": \"(?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\",'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
)
// extract the sender from the "reply to sender" element withn the body.html.raw
or (
regex.icontains(body.html.raw,
'<a href="mailto:[^\?]+\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
)
and all(regex.iextract(body.html.raw,
'<a href="mailto:(?P<sender_email>[^\?]+@(?P<sender_domain>[^\?]+))\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Service abuse: HelloSign from an unsolicited sender address"
description: "Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields."
type: "rule"
severity: "low"
source: |
type.inbound
and sender.email.domain.domain == "mail.hellosign.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and (
// extract the sender out of the body html template
(
// if the sender_email is available in the body
regex.icontains(body.html.raw,
'<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\)]+)\).*?</th>'
)
// check that the sender email has not been observed previously
and all(regex.iextract(body.html.raw,
'<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\).*?</th>'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
// extract the sender out of header hops if it's there
or any(headers.hops,
any(.fields,
.name == "X-Mailgun-Variables"
and strings.icontains(.value, 'on_behalf_of_email')
and all(regex.iextract(.value,
'\"on_behalf_of_email": \"(?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\",'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
)
// extract the sender from the "reply to sender" element withn the body.html.raw
or (
regex.icontains(body.html.raw,
'<a href="mailto:[^\?]+\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
)
and all(regex.iextract(body.html.raw,
'<a href="mailto:(?P<sender_email>[^\?]+@(?P<sender_domain>[^\?]+))\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Free file host"
- "Evasion"
detection_methods:
- "HTML analysis"
- "Sender analysis"
- "Header analysis"
id: "68ca0753-207f-56a0-9dba-3bbbad002bbf"