[PR #3718] added rule: Brand impersonation: AuthentiSign

github-actions[bot] · github-actions[bot] · commit 3336690c00d7 · 2026-01-09T17:36:32.000Z
diff --git a/detection-rules/3718_impersonation_authentisign.yml b/detection-rules/3718_impersonation_authentisign.yml
@@ -0,0 +1,72 @@
+name: "Brand impersonation: AuthentiSign"
+description: "Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    (
+      strings.icontains(body.current_thread.text, "authentisign")
+      and (
+        strings.ilike(body.current_thread.text,
+                      "*signing party*",
+                      "*signing name*"
+        )
+        or any(body.links,
+               regex.icontains(.display_text,
+                               '\bs[\s\W_]*i[\s\W_]*g[\s\W_]*n\b',
+                               'sign'
+               )
+        )
+      )
+    )
+    or strings.ilike(sender.display_name, '*authentisign*')
+    or strings.ilevenshtein(sender.display_name, 'authentisign') <= 1
+    or strings.ilike(sender.email.domain.domain, '*authentisign*')
+  )
+  and (
+    sender.email.domain.root_domain != "authentisign.com"
+    or (
+      sender.email.domain.root_domain == "authentisign.com"
+      and not (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+    )
+  )
+  // negate legitimate conversations
+  and not (
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      or strings.istarts_with(subject.subject, "RES:")
+      or strings.istarts_with(subject.subject, "R:")
+      or strings.istarts_with(subject.subject, "ODG:")
+      or strings.istarts_with(subject.subject, "答复:")
+      or strings.istarts_with(subject.subject, "AW:")
+      or strings.istarts_with(subject.subject, "TR:")
+      or strings.istarts_with(subject.subject, "FW:")
+      or strings.istarts_with(subject.subject, "FWD:")
+      or regex.imatch(subject.subject,
+                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
+      )
+      or subject.is_reply
+      or subject.is_forward
+    )
+    and (
+      length(headers.references) > 0
+      and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Lookalike domain"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "ab955fb0-5fc9-55e9-9861-3bbd5458ec14"
+og_id: "445a8c8b-cd38-5161-bf56-2eab83419e24"
+testing_pr: 3718
+testing_sha: 6aa85ccd8c5d6576dd17d8a8414dd1c1c4432140
