Sync from PR#2044

Create abuse_docusign_unsolicited_reply-to.yml by @zoomequipd #2044 Source SHA d4e4229 Triggered by @zoomequipd
sublime-security · Nov 5, 2024 · d2adf5b · d2adf5b
1 parent 7d94937
commit d2adf5b
Showing 1 changed file with 3 additions and 10 deletions.
diff --git a/detection-rules/abuse_docusign_unsolicited_reply-to.yml b/detection-rules/abuse_docusign_unsolicited_reply-to.yml
@@ -7,15 +7,8 @@ source: |
 
   // message is from docusign actual
   and sender.email.domain.root_domain == 'docusign.net'
-  and headers.auth_summary.spf.pass
-  and (
-    headers.auth_summary.spf.details.designator == 'docusign.net'
-    // observed subdomains of docusign being used (camail.docusign.net)
-    or strings.ends_with(headers.auth_summary.spf.details.designator,
-                         '.docusign.net'
-    )
-  )
-  and headers.auth_summary.dmarc.pass
+  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+
 
   // not a completed DocuSign
   // reminders are sent automatically and can be just as malicious as the initial
@@ -62,4 +55,4 @@ detection_methods:
   - "Sender analysis"
 id: "2f12d616-f47a-5259-8946-ac2e01940f6f"
 testing_pr: 2044
-testing_sha: ac94d6cce9f92aa1f9f028eecbf2c196a8fdb454
+testing_sha: d4e42291355913f6ef6d899dcdef4aa88d2c2094