Attachment: Adobe image lure in body or attachment with suspicious link
Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.
Sublime rule (View on GitHub)
1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // all images
9 length(filter(attachments, .file_type not in $file_types_images)) == 0
10 // only pdf attachments
11 or length(filter(attachments, .file_type != "pdf")) == 0
12 // pdf and image attachements where images are all embedded into the message body
13 or length(filter(attachments,
14 .file_type == 'pdf'
15 or (
16 .file_type in $file_types_images
17 and strings.icontains(body.html.raw,
18 strings.concat("cid:", .content_id)
19 )
20 )
21 )
22 ) == length(attachments)
23 )
24 and (
25 (
26 any(ml.logo_detect(file.message_screenshot()).brands, .name == "Adobe")
27 and 0 < length(body.links) < 10
28 and any(body.links, .display_text is null)
29 and (
30 length(filter(body.links,
31 (
32 .display_text is null
33 and .display_url.url == sender.email.domain.root_domain
34 )
35 or .href_url.domain.root_domain in (
36 "aka.ms",
37 "mimecast.com",
38 "mimecastprotect.com",
39 "cisco.com"
40 )
41 )
42 ) != length(body.links)
43 )
44 )
45 or any(filter(attachments,
46 // filter down to attachments with adobe logo
47 any(ml.logo_detect(.).brands,
48 .name == "Adobe" and .confidence in ("medium", "high")
49 )
50 ),
51 // the attachment (or message body) contain links
52 any(file.explode(.),
53 (
54 length(.scan.url.urls) > 0
55 or length(.scan.pdf.urls) > 0
56 or length(body.links) > 0
57 )
58 )
59 )
60 )
61 and (
62 (
63 (
64 length(headers.references) > 0
65 or not any(headers.hops,
66 any(.fields, strings.ilike(.name, "In-Reply-To"))
67 )
68 )
69 and not (
70 (
71 strings.istarts_with(subject.subject, "RE:")
72 or strings.istarts_with(subject.subject, "RES:")
73 or strings.istarts_with(subject.subject, "R:")
74 or strings.istarts_with(subject.subject, "ODG:")
75 or strings.istarts_with(subject.subject, "答复:")
76 or strings.istarts_with(subject.subject, "AW:")
77 or strings.istarts_with(subject.subject, "TR:")
78 or strings.istarts_with(subject.subject, "FWD:")
79 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
80 )
81 )
82 )
83 or length(headers.references) == 0
84 )
85
86 // not a newsletter or advertisement
87 and not any(headers.hops, any(.fields, .name == "List-Unsubscribe-Post"))
88 and not any(ml.nlu_classifier(body.current_thread.text).topics,
89 .name in ("Advertising and Promotions", "Newsletters and Digests")
90 and .confidence == "high"
91 )
92
93 // negate highly trusted sender domains unless they fail DMARC authentication
94 and (
95 (
96 sender.email.domain.root_domain in $high_trust_sender_root_domains
97 and not headers.auth_summary.dmarc.pass
98 )
99 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
100 )
101 and (
102 // exclude solicited senders
103 not profile.by_sender_email().solicited
104 or profile.by_sender_email().prevalence == "new"
105 or length(recipients.to) == 0
106 // domains for recipients to/cc must be valid
107 or (
108 all(recipients.to, .email.domain.valid == false)
109 and all(recipients.cc, .email.domain.valid == false)
110 )
111 or (
112 profile.by_sender_email().any_messages_malicious_or_spam
113 and not profile.by_sender_email().any_messages_benign
114 )
115 )
116 and not profile.by_sender_email().any_messages_benign
117
118attack_types:
119 - "Credential Phishing"
120tactics_and_techniques:
121 - "Image as content"
122 - "Impersonation: Brand"
123detection_methods:
124 - "Content analysis"
125 - "Computer Vision"
126 - "Optical Character Recognition"
127 - "Sender analysis"
128 - "URL analysis"
129id: "1d7add81-9822-576a-bcae-c4440e75e393"