sublime-security · missingn0pe · Dec 29, 2025 · Dec 29, 2025 · Dec 31, 2025 · Jan 5, 2026
@@ -0,0 +1,46 @@
+name: "Brand impersonation: AuthentiSign"
+description: "Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    strings.icontains(body.current_thread.text, "authentisign")
+    and (
+      regex.icontains(body.current_thread.text,
+                      '\b(?:s[\s\W_]*i[\s\W_]*g[\s\W_]*n[\s\W_]*i[\s\W_]*n[\s\W_]*g[\s\W_]) (?:p[\s\W_]*a[\s\W_]*r[\s\W_]*t[\s\W_]*y)\b',
+      )
+      or strings.ilike(body.current_thread.text,
+                       "*signing name*",
+                       "*signing party*"
+      )
+      or strings.ilike(sender.display_name, '*authentisign*')
+      or strings.ilevenshtein(sender.display_name, 'authentisign') <= 1
+      or strings.ilike(sender.email.domain.domain, '*authentisign*')
+    )
+    and (
+      sender.email.domain.root_domain != "authentisign.com"
+      or (
+        sender.email.domain.root_domain == "authentisign.com"
+        and not (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+      )
+    )
+    // negate legitimate conversations
+    and not (
+      (subject.is_forward or subject.is_reply)
+      and (length(headers.references) != 0 or headers.in_reply_to is not null)
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Lookalike domain"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "445a8c8b-cd38-5161-bf56-2eab83419e24"