diff --git a/detection-rules/attachment_pdf_docusign_impersonation_new_domain.yml b/detection-rules/attachment_pdf_docusign_impersonation_new_domain.yml new file mode 100644 index 00000000000..3db99ab88fa --- /dev/null +++ b/detection-rules/attachment_pdf_docusign_impersonation_new_domain.yml @@ -0,0 +1,46 @@ +name: "Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d" +description: "This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + .file_type == "pdf" + and any(ml.logo_detect(.).brands, .name == "DocuSign") + and any(file.explode(.), any(.scan.pdf.urls, beta.whois(.domain).days_old <= 3)) + ) + + // negate legitimate docusign infrastructure + and + ( + ( + sender.email.domain.root_domain in ('docusign.net', 'docusign.com') + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in ('docusign.net', 'docusign.com') + ) + + // excludes senders that contain "via" in the display name a resilient way + and not ( + any(headers.hops, + any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")) + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "PDF" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" + - "URL analysis" + - "File analysis" + - "Computer Vision" + - "Whois" +id: "f0c96282-6eb9-5e84-aa9d-a48f66db5a74"