From 2caedcd67305f06393b717c8b6d6073d2620a6b9 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Wed, 6 Nov 2024 04:49:12 +0000 Subject: [PATCH] Sync from PR#2094 Create abuse_docusign_sus_names.yml by @zoomequipd https://github.com/sublime-security/sublime-rules/pull/2094 Source SHA cda27bc775e7a3a7b12182b2722c7023ae959985 Triggered by @zoomequipd --- detection-rules/abuse_docusign_sus_names.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 detection-rules/abuse_docusign_sus_names.yml diff --git a/detection-rules/abuse_docusign_sus_names.yml b/detection-rules/abuse_docusign_sus_names.yml new file mode 100644 index 00000000000..d36bceb5f71 --- /dev/null +++ b/detection-rules/abuse_docusign_sus_names.yml @@ -0,0 +1,18 @@ +name: "Service Abuse: DocuSign Notification with Suspicious Sender or Document Name" +description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name." +type: "rule" +severity: "medium" +source: "type.inbound\nand length(attachments) == 0\n\n// Legitimate Docusign sending infratructure\nand sender.email.domain.root_domain == 'docusign.net'\nand (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)\nand length(headers.reply_to) > 0\nand not any(headers.reply_to,\n .email.domain.domain in $org_domains\n or .email.domain.root_domain in $high_trust_sender_root_domains\n or .email.domain.root_domain in (\"docusign.net\", \"docusign.com\")\n)\n\n and length(headers.reply_to) > 0 \n // reply-to email address has never been sent an email by the org\n and not (\n any(headers.reply_to, .email.email in $recipient_emails)\n // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains\n or any(filter(headers.reply_to,\n // filter the list to only emails that are not in free_email_providers\n (\n .email.domain.domain not in $free_email_providers\n or .email.domain.root_domain not in $free_email_providers\n )\n ),\n .email.domain.domain in $recipient_domains\n )\n )\n // reply-to address has never sent an email to the org\n and not (\n any(headers.reply_to, .email.email in $sender_emails)\n // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains\n or any(filter(headers.reply_to,\n // filter the list to only emails that are not in free_email_providers\n (\n .email.domain.domain not in $free_email_providers\n or .email.domain.domain not in $free_email_providers\n )\n ),\n .email.domain.root_domain in $sender_domains\n )\n )\n\n// not a completed DocuSign\n// reminders are sent automatically and can be just as malicious as the initial\n// users often decline malicious ones\nand not strings.istarts_with(subject.subject, \"Completed: \")\nand not strings.istarts_with(subject.subject, \"Here is your signed document: \")\nand not strings.istarts_with(subject.subject, \"Voided: \")\nand (\n // contains the word docusign before the `via Docusign` part\n regex.icontains(sender.display_name, 'Docusign.*via Docusign$')\n or strings.icontains(subject.subject, 'sharefile')\n or strings.icontains(subject.subject, 'helloshare')\n\n // sender names part of the subject\n or (\n // Billing Accounting\n regex.icontains(sender.display_name,\n 'Accounts? (?:Payable|Receivable).*via Docusign$',\n 'Billing Support.*via Docusign$'\n )\n\n // HR/Payroll/Legal/etc\n or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')\n or regex.icontains(sender.display_name,\n '(?:Compliance|Executive|Finance|\\bHR\\b|Human Resources|\\bIT\\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'\n )\n or regex.icontains(sender.display_name,\n 'Corporate Communications.*via Docusign$'\n )\n or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')\n or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')\n or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')\n or regex.icontains(sender.display_name,\n 'Payroll Admin(?:istrator).*via Docusign$'\n )\n\n // IT related\n or regex.icontains(sender.display_name,\n 'IT Support.*via Docusign$',\n 'Information Technology.*via Docusign$',\n '(?:Network|System)? Admin(?:istrator).*via Docusign$',\n 'Help Desk.*via Docusign$',\n 'Tech(?:nical) Support.*via Docusign$'\n )\n )\n // filename analysis\n // the filename is also contained in the subject line\n or (\n // scanner themed\n regex.icontains(subject.subject, 'scanne[rd]')\n // image theme\n or regex.icontains(subject.subject, '_IMG_')\n or regex.icontains(subject.subject, 'IMG[_-](?:\\d|\\W)+')\n\n // Invoice Themes\n or regex.icontains(subject.subject, 'Invoice')\n or regex.icontains(subject.subject, 'INV\\b')\n or regex.icontains(subject.subject, 'Payment')\n or regex.icontains(subject.subject, '\\bACH\\b')\n or regex.icontains(subject.subject, 'Wire Confirmation')\n or regex.icontains(subject.subject, 'P[O0]\\W+?\\d+\\\"')\n or regex.icontains(subject.subject, 'P[O0](?:\\W+?|\\d+)')\n or regex.icontains(subject.subject, 'receipt')\n or regex.icontains(subject.subject, 'Billing')\n or regex.icontains(subject.subject, 'statement')\n or regex.icontains(subject.subject, 'Past Due')\n or regex.icontains(subject.subject, 'Remit(?:tance)?')\n or regex.icontains(subject.subject, 'Purchase Order')\n or regex.icontains(subject.subject, 'Settlementt')\n\n // contract language\n or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')\n or regex.icontains(subject.subject, 'Claim Doc')\n\n // Payroll/HR\n or regex.icontains(subject.subject, 'Payroll')\n or regex.icontains(subject.subject, 'Employee Pay\\b')\n or regex.icontains(subject.subject, 'Salary')\n or regex.icontains(subject.subject, 'Benefit Enrollment')\n or regex.icontains(subject.subject, 'Employee Handbook')\n or regex.icontains(subject.subject, 'Reimbursement Approved')\n\n // \n // shared files/extenstion/urgency/CTA\n or regex.icontains(subject.subject, 'Urgent')\n or regex.icontains(subject.subject, 'Important')\n or regex.icontains(subject.subject, 'Secure')\n or regex.icontains(subject.subject, 'Encrypt')\n or regex.icontains(subject.subject, 'shared')\n or regex.icontains(subject.subject, 'protected')\n or regex.icontains(subject.subject, 'Validate')\n or regex.icontains(subject.subject, 'Action Required')\n or regex.icontains(subject.subject, 'Final Notice')\n or regex.icontains(subject.subject, 'Review(?: and| & |\\s+)?Sign')\n or regex.icontains(subject.subject, 'Download PDF')\n\n // MFA theme\n or regex.icontains(subject.subject, 'Verification Code')\n or regex.icontains(subject.subject, '\\bMFA\\b')\n )\n)\n" +attack_types: + - "Callback Phishing" + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" + - "Content analysis" +id: "5e4707cd-1953-5fe2-9a62-34e3026f0336" +testing_pr: 2094 +testing_sha: cda27bc775e7a3a7b12182b2722c7023ae959985