Skip to content

Commit

Permalink
Merge branch 'main' into sam.trusted_senders
Browse files Browse the repository at this point in the history
  • Loading branch information
morriscode authored Oct 26, 2023
2 parents 48512d5 + ec3765c commit 70d775a
Showing 1 changed file with 46 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: "Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d"
description: "This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_type == "pdf"
and any(ml.logo_detect(.).brands, .name == "DocuSign")
and any(file.explode(.), any(.scan.pdf.urls, beta.whois(.domain).days_old <= 3))
)
// negate legitimate docusign infrastructure
and
(
(
sender.email.domain.root_domain in ('docusign.net', 'docusign.com')
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in ('docusign.net', 'docusign.com')
)
// excludes senders that contain "via" in the display name a resilient way
and not (
any(headers.hops,
any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net"))
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "PDF"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
- "URL analysis"
- "File analysis"
- "Computer Vision"
- "Whois"
id: "f0c96282-6eb9-5e84-aa9d-a48f66db5a74"

0 comments on commit 70d775a

Please sign in to comment.