Attachment: Adobe image lure in body or attachment with suspicious link

calendar Feb 7, 2025  ·
Share on: linkedin copy

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

Sublime rule (View on GitHub)

  1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
  2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    length(filter(attachments, .file_type not in $file_types_images)) == 0
  9    or length(filter(attachments, .file_type != "pdf")) == 0
 10  )
 11  and (
 12    any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
 13    and 0 < length(body.links) < 10
 14    and any(body.links, .display_text is null)
 15    and (
 16      length(filter(body.links,
 17                    (
 18                      .display_text is null
 19                      and .display_url.url == sender.email.domain.root_domain
 20                    )
 21                    or .href_url.domain.root_domain in (
 22                      "aka.ms",
 23                      "mimecast.com",
 24                      "mimecastprotect.com",
 25                      "cisco.com"
 26                    )
 27             )
 28      ) != length(body.links)
 29    )
 30    // )
 31    or any(attachments,
 32           any(ml.logo_detect(.).brands,
 33               .name == "Adobe"
 34               and .confidence in ("medium", "high")
 35               and any(file.explode(..),
 36                       (
 37                         length(.scan.url.urls) > 0
 38                         or length(.scan.pdf.urls) > 0
 39                         or length(body.links) > 0
 40                       )
 41               )
 42           )
 43    )
 44  )
 45  and (
 46    (
 47      (
 48        length(headers.references) > 0
 49        or not any(headers.hops,
 50                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 51        )
 52      )
 53      and not (
 54        (
 55          strings.istarts_with(subject.subject, "RE:")
 56          or strings.istarts_with(subject.subject, "RES:")
 57          or strings.istarts_with(subject.subject, "R:")
 58          or strings.istarts_with(subject.subject, "ODG:")
 59          or strings.istarts_with(subject.subject, "答复:")
 60          or strings.istarts_with(subject.subject, "AW:")
 61          or strings.istarts_with(subject.subject, "TR:")
 62          or strings.istarts_with(subject.subject, "FWD:")
 63          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 64        )
 65      )
 66    )
 67    or length(headers.references) == 0
 68  )
 69  
 70  // not a newsletter
 71  and not any(headers.hops, any(.fields, .name == "List-Unsubscribe-Post"))
 72  
 73  // negate highly trusted sender domains unless they fail DMARC authentication
 74  and (
 75    (
 76      sender.email.domain.root_domain in $high_trust_sender_root_domains
 77      and not headers.auth_summary.dmarc.pass
 78    )
 79    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 80  )
 81  and (
 82    not profile.by_sender().solicited
 83    or (
 84      profile.by_sender().any_messages_malicious_or_spam
 85      and not profile.by_sender().any_false_positives
 86    )
 87  )
 88  and not profile.by_sender().any_false_positives  
 89
 90attack_types:
 91  - "Credential Phishing"
 92tactics_and_techniques:
 93  - "Image as content"
 94  - "Impersonation: Brand"
 95detection_methods:
 96  - "Content analysis"
 97  - "Computer Vision"
 98  - "Optical Character Recognition"
 99  - "Sender analysis"
100  - "URL analysis"
101id: "1d7add81-9822-576a-bcae-c4440e75e393"
to-top