Sync from PR#2044

Create abuse_docusign_unsolicited_reply-to.yml by @zoomequipd #2044 Source SHA ac94d6c Triggered by @zoomequipd
sublime-security · Nov 1, 2024 · 0fcafac · 0fcafac
1 parent d68eee2
commit 0fcafac
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/...eply-to_without_existing_relationship.yml → ...s/abuse_docusign_unsolicited_reply-to.yml b/...eply-to_without_existing_relationship.yml → ...s/abuse_docusign_unsolicited_reply-to.yml
@@ -1,5 +1,5 @@
-name: "DocuSign Share From an Unsolicited Reply-To Address"
-description: "DocuSign shares which contain a reply-to address or domain which has not been previously observed by the recipient organzation."
+name: "Service Abuse: DocuSign Share From an Unsolicited Reply-To Address"
+description: "DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
 type: "rule"
 severity: "high"
 source: |
@@ -22,7 +22,7 @@ source: |
   // users often decline malicious ones
   and not strings.istarts_with(subject.subject, "Completed:")
 
-  // reply-to email address as never been sent an email by the org
+  // reply-to email address has never been sent an email by the org
   and not (
     any(headers.reply_to, .email.email in $recipient_emails)
     // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
@@ -33,7 +33,7 @@ source: |
                     or .email.domain.root_domain not in $free_email_providers
                   )
            ),
-           .email.domain.root_domain in $recipient_domains
+           .email.domain.domain in $recipient_domains
     )
   )
   // reply-to address has never sent an email to the org
@@ -44,7 +44,7 @@ source: |
                   // filter the list to only emails that are not in free_email_providers
                   (
                     .email.domain.domain not in $free_email_providers
-                    or .email.domain.root_domain not in $free_email_providers
+                    or .email.domain.domain not in $free_email_providers
                   )
            ),
            .email.domain.root_domain in $sender_domains
@@ -62,4 +62,4 @@ detection_methods:
   - "Sender analysis"
 id: "2f12d616-f47a-5259-8946-ac2e01940f6f"
 testing_pr: 2044
-testing_sha: f5904cb0c3b08baa33a1b60e2768900a0a896a67
+testing_sha: ac94d6cce9f92aa1f9f028eecbf2c196a8fdb454