Service abuse: Behance document sharing with suspicious language

calendar Mar 27, 2026  ·
Share on: linkedin copy

Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes.

Sublime rule (View on GitHub)

 1name: "Service abuse: Behance document sharing with suspicious language"
 2description: "Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 10000
 8  and strings.ilike(body.current_thread.text,
 9                    "*proposal*",
10                    "*specified link*",
11                    "*secure*"
12  )
13  and length(filter(body.current_thread.links,
14                    .href_url.domain.root_domain == 'behance.net'
15                    and strings.icontains(.href_url.path, '/gallery/')
16                    and .display_url.domain.root_domain == 'behance.net'
17                    and strings.icontains(.display_url.path, '/gallery/')
18             )
19  ) == 1
20  and not (
21    sender.email.domain.root_domain in $high_trust_sender_root_domains
22    and coalesce(headers.auth_summary.dmarc.pass, false)
23  )  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Free file host"
28  - "Social engineering"
29detection_methods:
30  - "Content analysis"
31  - "URL analysis"
32id: "7cd9666f-29fc-5390-9053-08537ef83051"
to-top