[Shared Samples] [PR #3984] modified rule: PR# 3984 - Brand impersonation: DocuSign

github-actions[bot] · github-actions[bot] · commit 6516adba575f · 2026-02-18T16:33:05.000Z
diff --git a/detection-rules/3984_impersonation_docusign.yml b/detection-rules/3984_impersonation_docusign.yml
@@ -310,7 +310,7 @@ source: |
   and (
     any(
         // filter links that match docusign wording
-        filter(body.links,
+        filter(body.current_thread.links,
                // we've observed invisible characters in the display name
                // such as U+034F: "Revi\x{034F}ew Now"
                (
@@ -338,7 +338,7 @@ source: |
                  or strings.icontains(.display_text, "Review on Docusign")
                  or (
                    strings.icontains(.display_text, "Sign")
-                   and regex.icontains(.display_text, '(?:in|now)')
+                   and regex.icontains(.display_text, '(?:in\b|now)')
                  )
                )
         ),

Original file line number	Diff line number	Diff line change
`@@ -310,7 +310,7 @@ source: \|`
`310`	`310`	`and (`
`311`	`311`	`any(`
`312`	`312`	`// filter links that match docusign wording`
`313`		`- filter(body.links,`
	`313`	`+ filter(body.current_thread.links,`
`314`	`314`	`// we've observed invisible characters in the display name`
`315`	`315`	`// such as U+034F: "Revi\x{034F}ew Now"`
`316`	`316`	`(`
`@@ -338,7 +338,7 @@ source: \|`
`338`	`338`	`or strings.icontains(.display_text, "Review on Docusign")`
`339`	`339`	`or (`
`340`	`340`	`strings.icontains(.display_text, "Sign")`
`341`		`- and regex.icontains(.display_text, '(?:in\|now)')`
	`341`	`+ and regex.icontains(.display_text, '(?:in\b\|now)')`
`342`	`342`	`)`
`343`	`343`	`)`
`344`	`344`	`),`