← Back to Explore
sublimehighRule
Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.
Detection Query
type.inbound
// link boundary
and length(filter(body.links, .href_url.domain.valid)) < 25
// there are no attachments, or only small, likely signature images
and (
length(attachments) == 0
or (
length(attachments) > 0
and all(attachments, .size < 8000 and .file_type in $file_types_images)
)
)
// Screenshot indicates a docusign logo or docusign name with cta to documents
and (
(
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
strings.ilike(beta.ocr(file.message_screenshot()).text, "*DocuSign*")
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "DocuSign"
)
)
and (
(
(
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
regex.icontains(beta.ocr(file.message_screenshot()).text,
"((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
"Your document has been completed",
"New Document Shared with you",
"Kindly click the link",
"important edocs",
// German (Document (check|check|sign|sent))
"Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
)
// German (important|urgent|immediate) but not in the Microsoft link
or (
(
any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(beta.ocr(file.message_screenshot()).text,
"(wichtig|dringend|sofort)"
) > 1
)
or (
not any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(beta.ocr(file.message_screenshot()).text,
"(wichtig|dringend|sofort)"
) > 0
)
)
)
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (.display_text is null and .display_url.url is null)
)
)
or any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (
regex.icontains(strings.replace_confusables(.display_text),
'(\bdocument|(view|get your) (docu|file))'
)
or strings.icontains(.display_text,
"R\u{200F}E\u{200F}V\u{200F}I\u{200F}E\u{200F}W\u{200F} \u{200F}D\u{200F}O\u{200F}C\u{200F}U\u{200F}M\u{200F}E\u{200F}N\u{200F}T\u{200F}"
)
)
)
)
)
// links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and not profile.by_sender().any_messages_benign
// negate docusign X-Return-Path
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Return-Path"
and strings.ends_with(.value, "docusign.net")
)
)
// negate "via" senders via dmarc authentication
and (
not coalesce(headers.auth_summary.dmarc.pass
and strings.contains(sender.display_name, "via")
and sender.email.domain.domain in $org_domains,
false
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: DocuSign embedded image lure with no DocuSign domains in links"
description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
type: "rule"
severity: "high"
source: |
type.inbound
// link boundary
and length(filter(body.links, .href_url.domain.valid)) < 25
// there are no attachments, or only small, likely signature images
and (
length(attachments) == 0
or (
length(attachments) > 0
and all(attachments, .size < 8000 and .file_type in $file_types_images)
)
)
// Screenshot indicates a docusign logo or docusign name with cta to documents
and (
(
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
strings.ilike(beta.ocr(file.message_screenshot()).text, "*DocuSign*")
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "DocuSign"
)
)
and (
(
(
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
regex.icontains(beta.ocr(file.message_screenshot()).text,
"((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
"Your document has been completed",
"New Document Shared with you",
"Kindly click the link",
"important edocs",
// German (Document (check|check|sign|sent))
"Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
)
// German (important|urgent|immediate) but not in the Microsoft link
or (
(
any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(beta.ocr(file.message_screenshot()).text,
"(wichtig|dringend|sofort)"
) > 1
)
or (
not any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(beta.ocr(file.message_screenshot()).text,
"(wichtig|dringend|sofort)"
) > 0
)
)
)
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (.display_text is null and .display_url.url is null)
)
)
or any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (
regex.icontains(strings.replace_confusables(.display_text),
'(\bdocument|(view|get your) (docu|file))'
)
or strings.icontains(.display_text,
"R\u{200F}E\u{200F}V\u{200F}I\u{200F}E\u{200F}W\u{200F} \u{200F}D\u{200F}O\u{200F}C\u{200F}U\u{200F}M\u{200F}E\u{200F}N\u{200F}T\u{200F}"
)
)
)
)
)
// links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and not profile.by_sender().any_messages_benign
// negate docusign X-Return-Path
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Return-Path"
and strings.ends_with(.value, "docusign.net")
)
)
// negate "via" senders via dmarc authentication
and (
not coalesce(headers.auth_summary.dmarc.pass
and strings.contains(sender.display_name, "via")
and sender.email.domain.domain in $org_domains,
false
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "dfe8715e-6318-579b-9131-ddfc9854dc95"