From 16e23ebe9a7572fae8074eac98e2e05428fc05d5 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Wed, 6 Nov 2024 02:55:44 +0000
Subject: [PATCH] Sync from PR#2044

Create abuse_docusign_unsolicited_reply-to.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2044
Source SHA b88469d25b5b5af074562b3d1d27c56a8a0909ff
Triggered by @zoomequipd
---
 detection-rules/abuse_docusign_unsolicited_reply-to.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/abuse_docusign_unsolicited_reply-to.yml b/detection-rules/abuse_docusign_unsolicited_reply-to.yml
index 3e5c8f6d628..cea7871cbd8 100644
--- a/detection-rules/abuse_docusign_unsolicited_reply-to.yml
+++ b/detection-rules/abuse_docusign_unsolicited_reply-to.yml
@@ -2,7 +2,7 @@ name: "Service Abuse: DocuSign Share From an Unsolicited Reply-To Address"
 description: "DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
 type: "rule"
 severity: "high"
-source: "type.inbound\n\n// message is from docusign actual\nand sender.email.domain.root_domain == 'docusign.net'\nand (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)\n\n\n// not a completed DocuSign\n// reminders are sent automatically and can be just as malicious as the initial\n// users often decline malicious ones\nand not strings.istarts_with(subject.subject, \"Completed:\")\n\nand length(headers.reply_to) > 0 \n// reply-to email address has never been sent an email by the org\nand not (\n  any(headers.reply_to, .email.email in $recipient_emails)\n  // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains\n  or any(filter(headers.reply_to,\n                // filter the list to only emails that are not in free_email_providers\n                (\n                  .email.domain.domain not in $free_email_providers\n                  or .email.domain.root_domain not in $free_email_providers\n                )\n         ),\n         .email.domain.domain in $recipient_domains\n  )\n)\n// reply-to address has never sent an email to the org\nand not (\n  any(headers.reply_to, .email.email in $sender_emails)\n  // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains\n  or any(filter(headers.reply_to,\n                // filter the list to only emails that are not in free_email_providers\n                (\n                  .email.domain.domain not in $free_email_providers\n                  or .email.domain.domain not in $free_email_providers\n                )\n         ),\n         .email.domain.root_domain in $sender_domains\n  )\n)\n"
+source: "type.inbound\n\n// message is from docusign actual\nand sender.email.domain.root_domain == 'docusign.net'\nand (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)\n\n\n// not a completed DocuSign\n// reminders are sent automatically and can be just as malicious as the initial\n// users often decline malicious ones\nand not strings.istarts_with(subject.subject, \"Completed: \")\nand not strings.istarts_with(subject.subject, \"Here is your signed document: \")\nand not strings.istarts_with(subject.subject, \"Voided: \")\n\nand length(headers.reply_to) > 0 \n// reply-to email address has never been sent an email by the org\nand not (\n  any(headers.reply_to, .email.email in $recipient_emails)\n  // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains\n  or any(filter(headers.reply_to,\n                // filter the list to only emails that are not in free_email_providers\n                (\n                  .email.domain.domain not in $free_email_providers\n                  or .email.domain.root_domain not in $free_email_providers\n                )\n         ),\n         .email.domain.domain in $recipient_domains\n  )\n)\n// reply-to address has never sent an email to the org\nand not (\n  any(headers.reply_to, .email.email in $sender_emails)\n  // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains\n  or any(filter(headers.reply_to,\n                // filter the list to only emails that are not in free_email_providers\n                (\n                  .email.domain.domain not in $free_email_providers\n                  or .email.domain.domain not in $free_email_providers\n                )\n         ),\n         .email.domain.root_domain in $sender_domains\n  )\n)\n"
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -15,4 +15,4 @@ detection_methods:
   - "Sender analysis"
 id: "2f12d616-f47a-5259-8946-ac2e01940f6f"
 testing_pr: 2044
-testing_sha: 481d3d4e2f6179b6bd6eadcc877e7220b26c4ae9
+testing_sha: b88469d25b5b5af074562b3d1d27c56a8a0909ff