sublime-security · zoomequipd · Apr 30, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 7, 2025
@@ -0,0 +1,83 @@
+name: "Service Abuse: HelloSign From an Unsolicited Sender Address"
+description: "Detects messages from HelloSign in which the document originates from a newly observed email address.  The email address is extracted from across multiple message components, including HTML body templates and email header fields."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and sender.email.domain.domain == "mail.hellosign.com"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  and (
+    // extract the sender out of the body html template
+    (
+      // if the sender_email is available in the body
+      regex.icontains(body.html.raw,
+                      '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\)]+)\).*?</th>'
+      )
+      // check that the sender email has not been observed previously
+      and all(regex.iextract(body.html.raw,
+                             '<th class="action-item--action[^\>]+\>\s*[^\<]*\((?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\).*?</th>'
+              ),
+              .named_groups["sender_domain"] not in $org_domains
+              and .named_groups["sender_email"] not in $recipient_emails
+              and .named_groups["sender_email"] not in $sender_emails
+              and not (
+                .named_groups["sender_domain"] not in $free_email_providers
+                and .named_groups["sender_domain"] in $recipient_domains
+                and .named_groups["sender_domain"] in $sender_domains
+              )
+      )
+    )
+
+    // extract the sender out of header hops if it's there
+    or any(headers.hops,
+           any(.fields,
+               .name == "X-Mailgun-Variables"
+               and strings.icontains(.value, 'on_behalf_of_email')
+               and all(regex.iextract(.value,
+                                      '\"on_behalf_of_email": \"(?P<sender_email>[^\"]+@(?P<sender_domain>[^\"]+))\",'
+                       ),
+                       .named_groups["sender_domain"] not in $org_domains
+                       and .named_groups["sender_email"] not in $recipient_emails
+                       and .named_groups["sender_email"] not in $sender_emails
+                       and not (
+                         .named_groups["sender_domain"] not in $free_email_providers
+                         and .named_groups["sender_domain"] in $recipient_domains
+                         and .named_groups["sender_domain"] in $sender_domains
+                       )
+               )
+           )
+    )
+
+    // extract the sender from the "reply to sender" element withn the body.html.raw
+    or (
+      regex.icontains(body.html.raw,
+                      '<a href="mailto:[^\?]+\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
+      )
+      and all(regex.iextract(body.html.raw,
+                             '<a href="mailto:(?P<sender_email>[^\?]+@(?P<sender_domain>[^\?]+))\?[^\"]+\"[^\>]+\>(?:<img[^\>]+\>)?\s*Reply to sender<\/a>'
+              ),
+              .named_groups["sender_domain"] not in $org_domains
+              and .named_groups["sender_email"] not in $recipient_emails
+              and .named_groups["sender_email"] not in $sender_emails
+              and not (
+                .named_groups["sender_domain"] not in $free_email_providers
+                and .named_groups["sender_domain"] in $recipient_domains
+                and .named_groups["sender_domain"] in $sender_domains
+              )
+      )
+    )
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Free file host"
+  - "Evasion"
+detection_methods:
+  - "HTML analysis"
+  - "Sender analysis"
+  - "Header analysis"
+id: "68ca0753-207f-56a0-9dba-3bbbad002bbf"