Suspicious DocuSign share from new domain

name: "Suspicious DocuSign share from new domain"
description: "DocuSign shares with new reply-to addresses have been seen in recent attacks."
type: "rule"
severity: "high"
source: |
  type.inbound

  // message is from docusign actual
  and sender.email.domain.root_domain == 'docusign.net'
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)

  // 
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  // 

  // reply-to email address has never been sent an email by the org
  and not beta.profile.by_reply_to().solicited

  // new reply-to
  and any(headers.reply_to, network.whois(.email.domain).days_old < 30)

  // not a completed DocuSign
  and not strings.istarts_with(subject.subject, "Completed:")
tags:
 - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Free file host"
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "d430a1f3-9a47-59b2-97fc-64b4792d5143"