Attachment: Adobe image lure with suspicious link

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language.

Sublime rule (View on GitHub)

 1name: "Attachment: Adobe image lure with suspicious link"
 2description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(filter(attachments, .file_type not in $file_types_images)) == 0
 9    or length(filter(attachments, .file_type != "pdf")) == 0
10  )
11  and all(body.links, .display_text is null)
12  and any(attachments,
13          any(ml.logo_detect(.).brands,
14              .name == "Adobe" and .confidence in ("medium", "high")
15          )
16          and any(file.explode(.),
17                  strings.ilike(.scan.ocr.raw,
18                                "*review*",
19                                "*sign*",
20                                "*view*",
21                                "*completed document*",
22                                "*open agreement*"
23                  )
24                  and (
25                    (length(body.links) > 0)
26                    or (length(.scan.url.urls) > 0 or length(.scan.pdf.urls) > 0)
27                  )
28          )
29  )
30
31  // negate highly trusted sender domains unless they fail DMARC authentication
32  and (
33    (
34      sender.email.domain.root_domain in $high_trust_sender_root_domains
35      and (
36        any(distinct(headers.hops, .authentication_results.dmarc is not null),
37            strings.ilike(.authentication_results.dmarc, "*fail")
38        )
39      )
40    )
41    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42  )
43
44  and (
45    not profile.by_sender().solicited
46    or (
47      profile.by_sender().any_messages_malicious_or_spam
48      and not profile.by_sender().any_false_positives
49    )
50  )
51  
52  and not profile.by_sender().any_false_positives  
53attack_types:
54  - "Malware/Ransomware"
55tactics_and_techniques:
56  - "Image as content"
57  - "Impersonation: Brand"
58detection_methods:
59  - "Content analysis"
60  - "Computer Vision"
61  - "Optical Character Recognition"
62  - "Sender analysis"
63  - "URL analysis"
64id: "1d7add81-9822-576a-bcae-c4440e75e393"
to-top