heroui logo

Service Abuse: DocuSign Share From an Unsolicited Reply-To Address

Sublime Rules

View Source
Summary
This detection rule identifies potentially malicious DocuSign shares that are sent from unsolicited reply-to addresses. The rule contributes to the prevention of credential phishing attacks by analyzing email headers and content associated with DocuSign messages. It specifies several conditions under which an email should be flagged: the email must come from a recognized DocuSign domain, namely 'docusign.net', but must lack a reply-to address from the known domain 'docusign.com'. Additionally, it examines SPF and DMARC authentication to ensure the email's legitimacy. The rule also checks the subject line to reject messages that include certain benign phrases, such as those indicating the message contains a completed document or is voided. Notably, the reply-to address must have no prior communication with the recipient's organization, and it should not have been flagged as benign in any previous exchanges. This multi-faceted approach aids organizations in effectively identifying and mitigating risks associated with unsolicited and potentially harmful DocuSign communications, remaining vigilant against social engineering tactics.
Categories
  • Web
  • Cloud
  • Identity Management
Data Sources
  • User Account
  • Application Log
  • Network Traffic
Created: 2024-11-06