← Back to Explore
sublimehighRule
DocuSign impersonation via spoofed Intuit sender
Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name.
Detection Query
type.inbound
and sender.email.domain.root_domain in ("intuit.com")
// email auth fails
and (
not headers.auth_summary.spf.pass
or not coalesce(headers.auth_summary.dmarc.pass, false)
)
// the subject or display_name includes docusign
and (
strings.icontains(subject.subject, "docusign")
or strings.icontains(sender.display_name, "docusign")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "DocuSign impersonation via spoofed Intuit sender"
description: "Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name."
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.domain.root_domain in ("intuit.com")
// email auth fails
and (
not headers.auth_summary.spf.pass
or not coalesce(headers.auth_summary.dmarc.pass, false)
)
// the subject or display_name includes docusign
and (
strings.icontains(subject.subject, "docusign")
or strings.icontains(sender.display_name, "docusign")
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Spoofing"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "d437710b-ad4e-5618-93de-f559aa27ad8a"