New Rule: Docusign embedded image lure (#1003)

Co-authored-by: ID Generator <[email protected]>
Co-authored-by: Josh Kamdjou <[email protected]>

detection-rules/credential_phishing_docusign_embedded_image_lure.yml

@@ -0,0 +1,53 @@
+name: "Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links"
+description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  and any(body.links,
+          not strings.ilike(.href_url.domain.root_domain, "docusign.*")
+  )
+  and (
+    any(ml.logo_detect(beta.message_screenshot()).brands,
+        .name == "DocuSign"
+        or any(file.explode(beta.message_screenshot()),
+               strings.ilike(.scan.ocr.raw, "*DocuSign*")
+               and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                       .name == "cred_theft" and .confidence != "low"
+               )
+        )
+    )
+  )
+  and any(file.explode(beta.message_screenshot()),
+          regex.icontains(.scan.ocr.raw,
+                          "review document",
+                          "[^d][^o][^c][^u]sign",
+                          "important edocs",
+                          "completed document"
+          )
+  )
+  and (
+    (
+      not profile.by_sender().solicited
+      and profile.by_sender().prevalence in ("new", "outlier")
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "dfe8715e-6318-579b-9131-ddfc9854dc95"