EXPLORE
Sign In
← Back to Explore
sublimehighRule

HR impersonation via e-sign agreement comment

This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1036T1027T1598.003
defense-evasioninitial-access

Detection Query

type.inbound
and length(attachments) == 0

// Legitimate Docusign sending infratructure
and (
  sender.email.domain.root_domain in (
    'docusign.net',
    'docusign.com',
    'hellosign.com'
  )
  // docusing.com as a reply-to is used in updates to documents, such as views, signs, etc
  and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
  // check for SPF or DMARC passed
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)

// HR Impersonation in body
and regex.icontains(body.current_thread.text,
                    (
                      '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
                    )
)

// Request and Urgency
and (
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
    )
    or any(ml.nlu_classifier(body.current_thread.text).entities,
           .name in ("urgency", "financial")
    )
  )
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
  or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
)

//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//

// reply-to address has never sent an email to the org
and beta.profile.by_reply_to().prevalence == "new"

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// Negate legitimate HR docusigns originating from within the org
and not (all(headers.reply_to, .email.domain.root_domain in $org_domains))

// Negate replies
and (
  length(headers.references) == 0
  or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "HR impersonation via e-sign agreement comment"
description: "This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(attachments) == 0
  
  // Legitimate Docusign sending infratructure
  and (
    sender.email.domain.root_domain in (
      'docusign.net',
      'docusign.com',
      'hellosign.com'
    )
    // docusing.com as a reply-to is used in updates to documents, such as views, signs, etc
    and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
    // check for SPF or DMARC passed
    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
  )
  
  // HR Impersonation in body
  and regex.icontains(body.current_thread.text,
                      (
                        '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
                      )
  )
  
  // Request and Urgency
  and (
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
    and (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft" and .confidence == "high"
      )
      or any(ml.nlu_classifier(body.current_thread.text).entities,
             .name in ("urgency", "financial")
      )
    )
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
    or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
  )
  
  //
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  //
  
  // reply-to address has never sent an email to the org
  and beta.profile.by_reply_to().prevalence == "new"
  
  // reply-to email address has never been sent an email by the org
  and not beta.profile.by_reply_to().solicited
  
  // Negate legitimate HR docusigns originating from within the org
  and not (all(headers.reply_to, .email.domain.root_domain in $org_domains))
  
  // Negate replies
  and (
    length(headers.references) == 0
    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Impersonation: Brand"
  - "Out of band pivot"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "796c6f0f-7571-5b87-b53e-97948e8be474"