← Back to Explore
sublimemediumRule
Brand impersonation: Xodo Sign
Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication.
Detection Query
type.inbound
and strings.icontains(body.current_thread.text, "processed by xodo sign")
and not (
sender.email.domain.root_domain == "eversign.com"
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Xodo Sign"
description: "Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication."
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.icontains(body.current_thread.text, "processed by xodo sign")
and not (
sender.email.domain.root_domain == "eversign.com"
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "e6139052-6ec8-5d3c-91e1-13ab1ae2d536"