From 0fcafac59ed7548c2d0f2f5ec77248b470392d08 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 1 Nov 2024 16:04:29 +0000
Subject: [PATCH] Sync from PR#2044

Create abuse_docusign_unsolicited_reply-to.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2044
Source SHA ac94d6cce9f92aa1f9f028eecbf2c196a8fdb454
Triggered by @zoomequipd
---
 ...p.yml => abuse_docusign_unsolicited_reply-to.yml} | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
 rename detection-rules/{docusign_reply-to_without_existing_relationship.yml => abuse_docusign_unsolicited_reply-to.yml} (83%)

diff --git a/detection-rules/docusign_reply-to_without_existing_relationship.yml b/detection-rules/abuse_docusign_unsolicited_reply-to.yml
similarity index 83%
rename from detection-rules/docusign_reply-to_without_existing_relationship.yml
rename to detection-rules/abuse_docusign_unsolicited_reply-to.yml
index 60337749e54..220685eb647 100644
--- a/detection-rules/docusign_reply-to_without_existing_relationship.yml
+++ b/detection-rules/abuse_docusign_unsolicited_reply-to.yml
@@ -1,5 +1,5 @@
-name: "DocuSign Share From an Unsolicited Reply-To Address"
-description: "DocuSign shares which contain a reply-to address or domain which has not been previously observed by the recipient organzation."
+name: "Service Abuse: DocuSign Share From an Unsolicited Reply-To Address"
+description: "DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
 type: "rule"
 severity: "high"
 source: |
@@ -22,7 +22,7 @@ source: |
   // users often decline malicious ones
   and not strings.istarts_with(subject.subject, "Completed:")
 
-  // reply-to email address as never been sent an email by the org
+  // reply-to email address has never been sent an email by the org
   and not (
     any(headers.reply_to, .email.email in $recipient_emails)
     // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
@@ -33,7 +33,7 @@ source: |
                     or .email.domain.root_domain not in $free_email_providers
                   )
            ),
-           .email.domain.root_domain in $recipient_domains
+           .email.domain.domain in $recipient_domains
     )
   )
   // reply-to address has never sent an email to the org
@@ -44,7 +44,7 @@ source: |
                   // filter the list to only emails that are not in free_email_providers
                   (
                     .email.domain.domain not in $free_email_providers
-                    or .email.domain.root_domain not in $free_email_providers
+                    or .email.domain.domain not in $free_email_providers
                   )
            ),
            .email.domain.root_domain in $sender_domains
@@ -62,4 +62,4 @@ detection_methods:
   - "Sender analysis"
 id: "2f12d616-f47a-5259-8946-ac2e01940f6f"
 testing_pr: 2044
-testing_sha: f5904cb0c3b08baa33a1b60e2768900a0a896a67
+testing_sha: ac94d6cce9f92aa1f9f028eecbf2c196a8fdb454