Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: Brand Impersonation: DocuSign (QR code) #938

Merged
merged 5 commits into from
Nov 9, 2023
Merged

New Rule: Brand Impersonation: DocuSign (QR code) #938

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c815647
New Rule: Brand Impersonation: DocuSign (QR code)
morriscode Nov 8, 2023
d54db30
Update attachment_docusign_image_lure_qr_code.yml
morriscode Nov 8, 2023
b9cf707
Auto add rule ID
Nov 8, 2023
a5c4cc8
Update attachment_docusign_image_lure_qr_code.yml
morriscode Nov 8, 2023
fa4b3ed
Merge branch 'main' into sam.docusign.qr
jkamdjou Nov 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 91 additions & 0 deletions detection-rules/attachment_docusign_image_lure_qr_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: "Brand impersonation: DocuSign (QR code)"
description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(ml.logo_detect(.).brands,
.name == "DocuSign" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(beta.message_screenshot()).brands,
.name == "DocuSign"
)
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
strings.icontains(..scan.qr.data, .email.email)

// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name,
.email.domain.sld
)
)

// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text,
.email.local_part
)
)

// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""

// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
)
)
)
)
)

and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.root_domain in ("docusign.net", "docusign.com")
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "PDF"
- "QR code"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Header analysis"
- "QR code analysis"
- "Sender analysis"
id: "0b16c28a-3f7e-5a90-bea5-473198424431"
Loading