-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create abuse_docusign_sus_names.yml by @zoomequipd #2094 Source SHA cda27bc Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 6, 2024
1 parent
16e23eb
commit 2caedcd
Showing
1 changed file
with
18 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| name: "Service Abuse: DocuSign Notification with Suspicious Sender or Document Name" | ||
| description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: "type.inbound\nand length(attachments) == 0\n\n// Legitimate Docusign sending infratructure\nand sender.email.domain.root_domain == 'docusign.net'\nand (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)\nand length(headers.reply_to) > 0\nand not any(headers.reply_to,\n .email.domain.domain in $org_domains\n or .email.domain.root_domain in $high_trust_sender_root_domains\n or .email.domain.root_domain in (\"docusign.net\", \"docusign.com\")\n)\n\n and length(headers.reply_to) > 0 \n // reply-to email address has never been sent an email by the org\n and not (\n any(headers.reply_to, .email.email in $recipient_emails)\n // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains\n or any(filter(headers.reply_to,\n // filter the list to only emails that are not in free_email_providers\n (\n .email.domain.domain not in $free_email_providers\n or .email.domain.root_domain not in $free_email_providers\n )\n ),\n .email.domain.domain in $recipient_domains\n )\n )\n // reply-to address has never sent an email to the org\n and not (\n any(headers.reply_to, .email.email in $sender_emails)\n // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains\n or any(filter(headers.reply_to,\n // filter the list to only emails that are not in free_email_providers\n (\n .email.domain.domain not in $free_email_providers\n or .email.domain.domain not in $free_email_providers\n )\n ),\n .email.domain.root_domain in $sender_domains\n )\n )\n\n// not a completed DocuSign\n// reminders are sent automatically and can be just as malicious as the initial\n// users often decline malicious ones\nand not strings.istarts_with(subject.subject, \"Completed: \")\nand not strings.istarts_with(subject.subject, \"Here is your signed document: \")\nand not strings.istarts_with(subject.subject, \"Voided: \")\nand (\n // contains the word docusign before the `via Docusign` part\n regex.icontains(sender.display_name, 'Docusign.*via Docusign$')\n or strings.icontains(subject.subject, 'sharefile')\n or strings.icontains(subject.subject, 'helloshare')\n\n // sender names part of the subject\n or (\n // Billing Accounting\n regex.icontains(sender.display_name,\n 'Accounts? (?:Payable|Receivable).*via Docusign$',\n 'Billing Support.*via Docusign$'\n )\n\n // HR/Payroll/Legal/etc\n or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')\n or regex.icontains(sender.display_name,\n '(?:Compliance|Executive|Finance|\\bHR\\b|Human Resources|\\bIT\\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'\n )\n or regex.icontains(sender.display_name,\n 'Corporate Communications.*via Docusign$'\n )\n or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')\n or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')\n or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')\n or regex.icontains(sender.display_name,\n 'Payroll Admin(?:istrator).*via Docusign$'\n )\n\n // IT related\n or regex.icontains(sender.display_name,\n 'IT Support.*via Docusign$',\n 'Information Technology.*via Docusign$',\n '(?:Network|System)? Admin(?:istrator).*via Docusign$',\n 'Help Desk.*via Docusign$',\n 'Tech(?:nical) Support.*via Docusign$'\n )\n )\n // filename analysis\n // the filename is also contained in the subject line\n or (\n // scanner themed\n regex.icontains(subject.subject, 'scanne[rd]')\n // image theme\n or regex.icontains(subject.subject, '_IMG_')\n or regex.icontains(subject.subject, 'IMG[_-](?:\\d|\\W)+')\n\n // Invoice Themes\n or regex.icontains(subject.subject, 'Invoice')\n or regex.icontains(subject.subject, 'INV\\b')\n or regex.icontains(subject.subject, 'Payment')\n or regex.icontains(subject.subject, '\\bACH\\b')\n or regex.icontains(subject.subject, 'Wire Confirmation')\n or regex.icontains(subject.subject, 'P[O0]\\W+?\\d+\\\"')\n or regex.icontains(subject.subject, 'P[O0](?:\\W+?|\\d+)')\n or regex.icontains(subject.subject, 'receipt')\n or regex.icontains(subject.subject, 'Billing')\n or regex.icontains(subject.subject, 'statement')\n or regex.icontains(subject.subject, 'Past Due')\n or regex.icontains(subject.subject, 'Remit(?:tance)?')\n or regex.icontains(subject.subject, 'Purchase Order')\n or regex.icontains(subject.subject, 'Settlementt')\n\n // contract language\n or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')\n or regex.icontains(subject.subject, 'Claim Doc')\n\n // Payroll/HR\n or regex.icontains(subject.subject, 'Payroll')\n or regex.icontains(subject.subject, 'Employee Pay\\b')\n or regex.icontains(subject.subject, 'Salary')\n or regex.icontains(subject.subject, 'Benefit Enrollment')\n or regex.icontains(subject.subject, 'Employee Handbook')\n or regex.icontains(subject.subject, 'Reimbursement Approved')\n\n // \n // shared files/extenstion/urgency/CTA\n or regex.icontains(subject.subject, 'Urgent')\n or regex.icontains(subject.subject, 'Important')\n or regex.icontains(subject.subject, 'Secure')\n or regex.icontains(subject.subject, 'Encrypt')\n or regex.icontains(subject.subject, 'shared')\n or regex.icontains(subject.subject, 'protected')\n or regex.icontains(subject.subject, 'Validate')\n or regex.icontains(subject.subject, 'Action Required')\n or regex.icontains(subject.subject, 'Final Notice')\n or regex.icontains(subject.subject, 'Review(?: and| & |\\s+)?Sign')\n or regex.icontains(subject.subject, 'Download PDF')\n\n // MFA theme\n or regex.icontains(subject.subject, 'Verification Code')\n or regex.icontains(subject.subject, '\\bMFA\\b')\n )\n)\n" | ||
| attack_types: | ||
| - "Callback Phishing" | ||
| - "BEC/Fraud" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Sender analysis" | ||
| - "Header analysis" | ||
| - "Content analysis" | ||
| id: "5e4707cd-1953-5fe2-9a62-34e3026f0336" | ||
| testing_pr: 2094 | ||
| testing_sha: cda27bc775e7a3a7b12182b2722c7023ae959985 |