Attachment: Adobe image lure in body or attachment with suspicious link

calendar Sep 20, 2024  ·
Share on: linkedin copy

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

Sublime rule (View on GitHub)

  1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
  2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    length(filter(attachments, .file_type not in $file_types_images)) == 0
  9    or length(filter(attachments, .file_type != "pdf")) == 0
 10  )
 11  and (
 12    any(file.explode(beta.message_screenshot()),
 13        any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
 14        and 0 < length(body.links) < 10
 15        and any(body.links, .display_text is null)
 16        and (
 17          length(filter(body.links,
 18                        (
 19                          .display_text is null
 20                          and .display_url.url == sender.email.domain.root_domain
 21                        )
 22                        or .href_url.domain.root_domain in (
 23                          "aka.ms",
 24                          "mimecast.com",
 25                          "mimecastprotect.com",
 26                          "cisco.com"
 27                        )
 28                 )
 29          ) != length(body.links)
 30        )
 31    )
 32    or any(attachments,
 33            any(ml.logo_detect(.).brands,
 34                   .name == "Adobe"
 35                   and .confidence in ("medium", "high")
 36                   and any(file.explode(..),
 37                           (
 38                             length(.scan.url.urls) > 0
 39                             or length(.scan.pdf.urls) > 0
 40                             or length(body.links) > 0
 41                           )
 42                   )
 43           )
 44    )
 45  )
 46  and (
 47    (
 48      (
 49        length(headers.references) > 0
 50        or not any(headers.hops,
 51                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 52        )
 53      )
 54      and not (
 55        (
 56          strings.istarts_with(subject.subject, "RE:")
 57          or strings.istarts_with(subject.subject, "RES:")
 58          or strings.istarts_with(subject.subject, "R:")
 59          or strings.istarts_with(subject.subject, "ODG:")
 60          or strings.istarts_with(subject.subject, "答复:")
 61          or strings.istarts_with(subject.subject, "AW:")
 62          or strings.istarts_with(subject.subject, "TR:")
 63          or strings.istarts_with(subject.subject, "FWD:")
 64          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 65        )
 66      )
 67    )
 68    or length(headers.references) == 0
 69  )
 70
 71  // not a newsletter
 72  and not any(headers.hops, any(.fields, .name == "List-Unsubscribe-Post"))
 73  
 74  // negate highly trusted sender domains unless they fail DMARC authentication
 75  and (
 76    (
 77      sender.email.domain.root_domain in $high_trust_sender_root_domains
 78      and not headers.auth_summary.dmarc.pass
 79    )
 80    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 81  )
 82  and (
 83    not profile.by_sender().solicited
 84    or (
 85      profile.by_sender().any_messages_malicious_or_spam
 86      and not profile.by_sender().any_false_positives
 87    )
 88  )
 89  and not profile.by_sender().any_false_positives  
 90
 91attack_types:
 92  - "Credential Phishing"
 93tactics_and_techniques:
 94  - "Image as content"
 95  - "Impersonation: Brand"
 96detection_methods:
 97  - "Content analysis"
 98  - "Computer Vision"
 99  - "Optical Character Recognition"
100  - "Sender analysis"
101  - "URL analysis"
102id: "1d7add81-9822-576a-bcae-c4440e75e393"
to-top