Attachment: Adobe image lure with suspicious link

calendar May 2, 2024  ยท
Share on: linkedin copy

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language.

Sublime rule (View on GitHub)

 1name: "Attachment: Adobe image lure with suspicious link"
 2description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(filter(attachments, .file_type not in $file_types_images)) == 0
 9    or length(filter(attachments, .file_type != "pdf")) == 0
10  )
11  and any(body.links, .display_text is null)
12  and (
13    length(filter(body.links,
14                  (
15                    .display_text is null
16                    and .display_url.url == sender.email.domain.root_domain
17                  )
18                  or .href_url.domain.root_domain in (
19                    "aka.ms",
20                    "mimecast.com",
21                    "cisco.com"
22                  )
23           )
24    ) != length(body.links)
25  )
26  and (
27    any(file.explode(beta.message_screenshot()),
28        any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
29        and 0 < length(body.links) < 10
30    )
31    or any(attachments,
32           any(ml.logo_detect(.).brands,
33               .name == "Adobe"
34               and .confidence in ("medium", "high")
35               and any(file.explode(..),
36                       (
37                         length(.scan.url.urls) > 0
38                         or length(.scan.pdf.urls) > 0
39                         or length(body.links) > 0
40                       )
41               )
42           )
43    )
44  )
45  
46  // negate highly trusted sender domains unless they fail DMARC authentication
47  and (
48    (
49      sender.email.domain.root_domain in $high_trust_sender_root_domains
50      and not headers.auth_summary.dmarc.pass
51    )
52    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
53  )
54  
55  and (
56    not profile.by_sender().solicited
57    or (
58      profile.by_sender().any_messages_malicious_or_spam
59      and not profile.by_sender().any_false_positives
60    )
61  )
62  and not profile.by_sender().any_false_positives  
63
64attack_types:
65  - "Malware/Ransomware"
66tactics_and_techniques:
67  - "Image as content"
68  - "Impersonation: Brand"
69detection_methods:
70  - "Content analysis"
71  - "Computer Vision"
72  - "Optical Character Recognition"
73  - "Sender analysis"
74  - "URL analysis"
75id: "1d7add81-9822-576a-bcae-c4440e75e393"
to-top