Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address

 1name: "Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address"
 2description: "Identifies messages appearing to come from Adobe Sign signature notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Adobe services while attempting to establish unauthorized communication channels."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Adobe Sign sending infratructure
 9  and sender.email.email == "adobesign@adobesign.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.icontains(subject.subject, 'signature requested')
13  
14  //
15  // This rule makes use of a beta feature and is subject to change without notice
16  // using the beta feature in custom rules is not suggested until it has been formally released
17  //
18  
19  // reply-to address has never sent an email to the org
20  and beta.profile.by_reply_to().prevalence == "new"
21  
22  // reply-to email address has never been sent an email by the org
23  and not beta.profile.by_reply_to().solicited
24  
25  // do not match if the reply_to address has been observed as a reply_to address
26  // of a message that has been classified as benign
27  and not beta.profile.by_reply_to().any_messages_benign  
28
29tags:
30 - "Attack surface reduction"
31attack_types:
32  - "BEC/Fraud"
33  - "Callback Phishing"
34  - "Spam"
35tactics_and_techniques:
36  - "Social engineering"
37  - "Impersonation: Brand"
38detection_methods:
39  - "Header analysis"
40  - "Sender analysis"
41id: "d00893ba-a65a-5b04-88d1-f35512eae291"