Attachment: Adobe image lure in body or attachment with suspicious link
Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.
Sublime rule (View on GitHub)
1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 length(filter(attachments, .file_type not in $file_types_images)) == 0
9 or length(filter(attachments, .file_type != "pdf")) == 0
10 )
11 and (
12 (
13 any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
14 and 0 < length(body.links) < 10
15 and any(body.links, .display_text is null)
16 and (
17 length(filter(body.links,
18 (
19 .display_text is null
20 and .display_url.url == sender.email.domain.root_domain
21 )
22 or .href_url.domain.root_domain in (
23 "aka.ms",
24 "mimecast.com",
25 "mimecastprotect.com",
26 "cisco.com"
27 )
28 )
29 ) != length(body.links)
30 )
31 )
32 or any(filter(attachments,
33 // filter down to attachments with adobe logo
34 any(ml.logo_detect(.).brands,
35 .name == "Adobe" and .confidence in ("medium", "high")
36 )
37 ),
38 // the attachment (or message body) contain links
39 any(file.explode(.),
40 (
41 length(.scan.url.urls) > 0
42 or length(.scan.pdf.urls) > 0
43 or length(body.links) > 0
44 )
45 )
46 )
47 )
48 and (
49 (
50 (
51 length(headers.references) > 0
52 or not any(headers.hops,
53 any(.fields, strings.ilike(.name, "In-Reply-To"))
54 )
55 )
56 and not (
57 (
58 strings.istarts_with(subject.subject, "RE:")
59 or strings.istarts_with(subject.subject, "RES:")
60 or strings.istarts_with(subject.subject, "R:")
61 or strings.istarts_with(subject.subject, "ODG:")
62 or strings.istarts_with(subject.subject, "答复:")
63 or strings.istarts_with(subject.subject, "AW:")
64 or strings.istarts_with(subject.subject, "TR:")
65 or strings.istarts_with(subject.subject, "FWD:")
66 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
67 )
68 )
69 )
70 or length(headers.references) == 0
71 )
72
73 // not a newsletter or advertisement
74 and not any(headers.hops, any(.fields, .name == "List-Unsubscribe-Post"))
75 and not any(beta.ml_topic(body.current_thread.text).topics,
76 .name in ("Advertising and Promotions", "Newsletters and Digests")
77 and .confidence == "high"
78 )
79
80 // negate highly trusted sender domains unless they fail DMARC authentication
81 and (
82 (
83 sender.email.domain.root_domain in $high_trust_sender_root_domains
84 and not headers.auth_summary.dmarc.pass
85 )
86 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
87 )
88 and (
89 not profile.by_sender_email().solicited
90 or profile.by_sender_email().prevalence == "new"
91 or (
92 profile.by_sender_email().any_messages_malicious_or_spam
93 and not profile.by_sender_email().any_false_positives
94 )
95 )
96 and not profile.by_sender_email().any_false_positives
97
98attack_types:
99 - "Credential Phishing"
100tactics_and_techniques:
101 - "Image as content"
102 - "Impersonation: Brand"
103detection_methods:
104 - "Content analysis"
105 - "Computer Vision"
106 - "Optical Character Recognition"
107 - "Sender analysis"
108 - "URL analysis"
109id: "1d7add81-9822-576a-bcae-c4440e75e393"