Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create abuse_docusign_sus_names.yml #2094

Merged
merged 2 commits into from
Nov 13, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
159 changes: 159 additions & 0 deletions detection-rules/abuse_docusign_sus_names.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
name: "Service Abuse: DocuSign Notification with Suspicious Sender or Document Name"
description: "The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) == 0
// Legitimate Docusign sending infratructure
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(headers.reply_to) > 0
and not any(headers.reply_to,
.email.domain.domain in $org_domains
or .email.domain.root_domain in $high_trust_sender_root_domains
or .email.domain.root_domain in ("docusign.net", "docusign.com")
)
and length(headers.reply_to) > 0
// reply-to email address has never been sent an email by the org
and not (
any(headers.reply_to, .email.email in $recipient_emails)
// if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
or any(filter(headers.reply_to,
// filter the list to only emails that are not in free_email_providers
(
.email.domain.domain not in $free_email_providers
or .email.domain.root_domain not in $free_email_providers
)
),
.email.domain.domain in $recipient_domains
)
)
// reply-to address has never sent an email to the org
and not (
any(headers.reply_to, .email.email in $sender_emails)
// if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
or any(filter(headers.reply_to,
// filter the list to only emails that are not in free_email_providers
(
.email.domain.domain not in $free_email_providers
or .email.domain.domain not in $free_email_providers
)
),
.email.domain.root_domain in $sender_domains
)
)
// not a completed DocuSign
// reminders are sent automatically and can be just as malicious as the initial
// users often decline malicious ones
and not strings.istarts_with(subject.subject, "Completed: ")
and not strings.istarts_with(subject.subject, "Here is your signed document: ")
and not strings.istarts_with(subject.subject, "Voided: ")
and (
// contains the word docusign before the `via Docusign` part
regex.icontains(sender.display_name, 'Docusign.*via Docusign$')
or strings.icontains(subject.subject, 'sharefile')
or strings.icontains(subject.subject, 'helloshare')
// sender names part of the subject
or (
// Billing Accounting
regex.icontains(sender.display_name,
'Accounts? (?:Payable|Receivable).*via Docusign$',
'Billing Support.*via Docusign$'
)
// HR/Payroll/Legal/etc
or regex.icontains(sender.display_name, 'Compliance HR.*via Docusign$')
or regex.icontains(sender.display_name,
'(?:Compliance|Executive|Finance|\bHR\b|Human Resources|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*(?:Department|Team)?.*via Docusign$'
)
or regex.icontains(sender.display_name,
'Corporate Communications.*via Docusign$'
)
or regex.icontains(sender.display_name, 'Employee Relations.*via Docusign$')
or regex.icontains(sender.display_name, 'Office Manager.*via Docusign$')
or regex.icontains(sender.display_name, 'Risk Management.*via Docusign$')
or regex.icontains(sender.display_name,
'Payroll Admin(?:istrator).*via Docusign$'
)
// IT related
or regex.icontains(sender.display_name,
'IT Support.*via Docusign$',
'Information Technology.*via Docusign$',
'(?:Network|System)? Admin(?:istrator).*via Docusign$',
'Help Desk.*via Docusign$',
'Tech(?:nical) Support.*via Docusign$'
)
)
// filename analysis
// the filename is also contained in the subject line
or (
// scanner themed
regex.icontains(subject.subject, 'scanne[rd]')
// image theme
or regex.icontains(subject.subject, '_IMG_')
or regex.icontains(subject.subject, 'IMG[_-](?:\d|\W)+')
// Invoice Themes
or regex.icontains(subject.subject, 'Invoice')
or regex.icontains(subject.subject, 'INV\b')
or regex.icontains(subject.subject, 'Payment')
or regex.icontains(subject.subject, '\bACH\b')
or regex.icontains(subject.subject, 'Wire Confirmation')
or regex.icontains(subject.subject, 'P[O0]\W+?\d+\"')
or regex.icontains(subject.subject, 'P[O0](?:\W+?|\d+)')
or regex.icontains(subject.subject, 'receipt')
or regex.icontains(subject.subject, 'Billing')
or regex.icontains(subject.subject, 'statement')
or regex.icontains(subject.subject, 'Past Due')
or regex.icontains(subject.subject, 'Remit(?:tance)?')
or regex.icontains(subject.subject, 'Purchase Order')
or regex.icontains(subject.subject, 'Settlementt')
// contract language
or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
or regex.icontains(subject.subject, 'Claim Doc')
// Payroll/HR
or regex.icontains(subject.subject, 'Payroll')
or regex.icontains(subject.subject, 'Employee Pay\b')
or regex.icontains(subject.subject, 'Salary')
or regex.icontains(subject.subject, 'Benefit Enrollment')
or regex.icontains(subject.subject, 'Employee Handbook')
or regex.icontains(subject.subject, 'Reimbursement Approved')
//
// shared files/extenstion/urgency/CTA
or regex.icontains(subject.subject, 'Urgent')
or regex.icontains(subject.subject, 'Important')
or regex.icontains(subject.subject, 'Secure')
or regex.icontains(subject.subject, 'Encrypt')
or regex.icontains(subject.subject, 'shared')
or regex.icontains(subject.subject, 'protected')
or regex.icontains(subject.subject, 'Validate')
or regex.icontains(subject.subject, 'Action Required')
or regex.icontains(subject.subject, 'Final Notice')
or regex.icontains(subject.subject, 'Review(?: and| & |\s+)?Sign')
or regex.icontains(subject.subject, 'Download PDF')
// MFA theme
or regex.icontains(subject.subject, 'Verification Code')
or regex.icontains(subject.subject, '\bMFA\b')
)
)
attack_types:
- "Callback Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Header analysis"
- "Content analysis"
id: "5e4707cd-1953-5fe2-9a62-34e3026f0336"