sublime-security · morriscode · Sep 27, 2024 · Sep 27, 2024
@@ -0,0 +1,38 @@
+name: "Brand Impersonation: DocuSign pdf attachment with suspicious link"
+description: "This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_type == "pdf"
+          and any(ml.logo_detect(.).brands, .name == "DocuSign")
+          and any(file.explode(.),
+                  length(.scan.url.urls) <=9
+                  and any(.scan.url.urls,
+                          .domain.root_domain not in $tranco_1m
+                          and .domain.root_domain not in $org_domains
+                          and .domain.root_domain != "sublimesecurity.com"
+                          and not strings.ilike(.domain.root_domain, "docusign.*")
+                  )
+                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
+                          .name == "org" and .text == "DocuSign"
+                  )
+                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
+                          .name == "request"
+                  )
+          )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "URL analysis"
+id: "2601cbb7-0a07-5289-a32f-68c0db3c3170"