Query Details
Docu Shield NRT Anti Impersonation Email Purge
Query
// DocuShield: NRT’s Anti-Impersonation Email Purge! 🤣 // Christmas comes early! Here’s my near real-time custom detection for DocuSign impersonation emails ➡️ 🗑️ A simple and effective filter. EmailEvents | where Subject startswith "Complete with Docusign" | where SenderFromDomain !endswith "docusign.net" | where DeliveryAction != "Blocked"
Explanation
This query is designed to identify and filter out suspicious emails that are attempting to impersonate DocuSign communications. Here's a simple breakdown of what it does:
-
Data Source: It looks at email events, which are records of emails sent and received.
-
Subject Filter: It searches for emails with subjects that start with "Complete with Docusign." This is a common phrase used in DocuSign-related emails.
-
Sender Domain Check: It checks the sender's domain to ensure it does not end with "docusign.net." This helps identify emails that claim to be from DocuSign but are actually from other domains, which could be fraudulent.
-
Delivery Action: It ensures that the email was not already blocked by any existing filters or security measures.
Overall, this query helps detect and potentially remove phishing emails that mimic DocuSign communications but come from unauthorized sources.
Details
Steven Lim
Released: December 12, 2024
Tables
Keywords
Operators