Attachment: Adobe image lure in body or attachment with suspicious link
Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.
Sublime rule (View on GitHub)
1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 length(filter(attachments, .file_type not in $file_types_images)) == 0
9 or length(filter(attachments, .file_type != "pdf")) == 0
10 )
11 and (
12 any(file.explode(beta.message_screenshot()),
13 any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
14 and 0 < length(body.links) < 10
15 and any(body.links, .display_text is null)
16 and (
17 length(filter(body.links,
18 (
19 .display_text is null
20 and .display_url.url == sender.email.domain.root_domain
21 )
22 or .href_url.domain.root_domain in (
23 "aka.ms",
24 "mimecast.com",
25 "mimecastprotect.com",
26 "cisco.com"
27 )
28 )
29 ) != length(body.links)
30 )
31 )
32 or any(attachments,
33 any(ml.logo_detect(.).brands,
34 .name == "Adobe"
35 and .confidence in ("medium", "high")
36 and any(file.explode(..),
37 (
38 length(.scan.url.urls) > 0
39 or length(.scan.pdf.urls) > 0
40 or length(body.links) > 0
41 )
42 )
43 )
44 )
45 )
46 and (
47 (
48 (
49 length(headers.references) > 0
50 or not any(headers.hops,
51 any(.fields, strings.ilike(.name, "In-Reply-To"))
52 )
53 )
54 and not (
55 (
56 strings.istarts_with(subject.subject, "RE:")
57 or strings.istarts_with(subject.subject, "RES:")
58 or strings.istarts_with(subject.subject, "R:")
59 or strings.istarts_with(subject.subject, "ODG:")
60 or strings.istarts_with(subject.subject, "答复:")
61 or strings.istarts_with(subject.subject, "AW:")
62 or strings.istarts_with(subject.subject, "TR:")
63 or strings.istarts_with(subject.subject, "FWD:")
64 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
65 )
66 )
67 )
68 or length(headers.references) == 0
69 )
70 // negate highly trusted sender domains unless they fail DMARC authentication
71 and (
72 (
73 sender.email.domain.root_domain in $high_trust_sender_root_domains
74 and not headers.auth_summary.dmarc.pass
75 )
76 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
77 )
78 and (
79 not profile.by_sender().solicited
80 or (
81 profile.by_sender().any_messages_malicious_or_spam
82 and not profile.by_sender().any_false_positives
83 )
84 )
85 and not profile.by_sender().any_false_positives
86
87attack_types:
88 - "Malware/Ransomware"
89tactics_and_techniques:
90 - "Image as content"
91 - "Impersonation: Brand"
92detection_methods:
93 - "Content analysis"
94 - "Computer Vision"
95 - "Optical Character Recognition"
96 - "Sender analysis"
97 - "URL analysis"
98id: "1d7add81-9822-576a-bcae-c4440e75e393"