From d7fde024b22c7d585b4162d9cd0707cfe0607c03 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Fri, 27 Sep 2024 14:08:20 -0400
Subject: [PATCH 1/2] Create
 brand_impersonation_docusign_pdf_with_suspicious_links.yml

---
 ...ion_docusign_pdf_with_suspicious_links.yml | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml

diff --git a/detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml b/detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml
new file mode 100644
index 00000000000..f50455bce9d
--- /dev/null
+++ b/detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml
@@ -0,0 +1,37 @@
+name: "Brand Impersonation: DocuSign pdf attachment with suspicious link"
+description: "This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_type == "pdf"
+          and any(ml.logo_detect(.).brands, .name == "DocuSign")
+          and any(file.explode(.),
+                  length(.scan.url.urls) <=9
+                  and any(.scan.url.urls,
+                          .domain.root_domain not in $tranco_1m
+                          and .domain.root_domain not in $org_domains
+                          and .domain.root_domain != "sublimesecurity.com"
+                          and not strings.ilike(.domain.root_domain, "docusign.*")
+                  )
+                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
+                          .name == "org" and .text == "DocuSign"
+                  )
+                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
+                          .name == "request"
+                  )
+          )
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "URL analysis"

From a98d12f5e133d397a813d2ae55e1f2a4f7e6ef88 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 27 Sep 2024 18:09:25 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 .../brand_impersonation_docusign_pdf_with_suspicious_links.yml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml b/detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml
index f50455bce9d..52b20273f2f 100644
--- a/detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml
+++ b/detection-rules/brand_impersonation_docusign_pdf_with_suspicious_links.yml
@@ -35,3 +35,4 @@ detection_methods:
   - "Natural Language Understanding"
   - "Optical Character Recognition"
   - "URL analysis"
+id: "2601cbb7-0a07-5289-a32f-68c0db3c3170"