Attachment: Adobe image lure in body or attachment with suspicious link
Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.
Sublime rule (View on GitHub)
1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // all images
9 length(filter(attachments, .file_type not in $file_types_images)) == 0
10 // only pdf attachments
11 or length(filter(attachments, .file_type != "pdf")) == 0
12 // pdf and image attachements where images are all embedded into the message body
13 or length(filter(attachments,
14 .file_type == 'pdf'
15 or (
16 .file_type in $file_types_images
17 and strings.icontains(body.html.raw,
18 strings.concat("cid:", .content_id)
19 )
20 )
21 )
22 ) == length(attachments)
23 )
24 and (
25 (
26 any(ml.logo_detect(file.message_screenshot()).brands, .name == "Adobe")
27 and 0 < length(body.links) < 10
28 and any(body.links, .display_text is null)
29 and (
30 length(filter(body.links,
31 (
32 .display_text is null
33 and .display_url.url == sender.email.domain.root_domain
34 )
35 or .href_url.domain.root_domain in (
36 "aka.ms",
37 "mimecast.com",
38 "mimecastprotect.com",
39 "cisco.com"
40 )
41 )
42 ) != length(body.links)
43 )
44 )
45 or any(filter(attachments,
46 // filter down to attachments with adobe logo
47 any(ml.logo_detect(.).brands,
48 .name == "Adobe" and .confidence in ("medium", "high")
49 )
50 ),
51 // the attachment (or message body) contain links
52 any(file.explode(.),
53 (
54 length(.scan.url.urls) > 0
55 or length(.scan.pdf.urls) > 0
56 or length(body.links) > 0
57 )
58 )
59 )
60 )
61 and (
62 (
63 (length(headers.references) > 0 or headers.in_reply_to is null)
64 and not (
65 (
66 strings.istarts_with(subject.subject, "RE:")
67 or strings.istarts_with(subject.subject, "RES:")
68 or strings.istarts_with(subject.subject, "R:")
69 or strings.istarts_with(subject.subject, "ODG:")
70 or strings.istarts_with(subject.subject, "答复:")
71 or strings.istarts_with(subject.subject, "AW:")
72 or strings.istarts_with(subject.subject, "TR:")
73 or strings.istarts_with(subject.subject, "FWD:")
74 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
75 )
76 )
77 )
78 or length(headers.references) == 0
79 )
80
81 // not a newsletter or advertisement
82 and not any(headers.hops, any(.fields, .name == "List-Unsubscribe-Post"))
83 and not any(ml.nlu_classifier(body.current_thread.text).topics,
84 .name in ("Advertising and Promotions", "Newsletters and Digests")
85 and .confidence == "high"
86 )
87
88 // negate highly trusted sender domains unless they fail DMARC authentication
89 and (
90 (
91 sender.email.domain.root_domain in $high_trust_sender_root_domains
92 and not headers.auth_summary.dmarc.pass
93 )
94 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
95 )
96 and (
97 // exclude solicited senders
98 not profile.by_sender_email().solicited
99 or profile.by_sender_email().prevalence == "new"
100 or length(recipients.to) == 0
101 // domains for recipients to/cc must be valid
102 or (
103 all(recipients.to, .email.domain.valid == false)
104 and all(recipients.cc, .email.domain.valid == false)
105 )
106 or (
107 profile.by_sender_email().any_messages_malicious_or_spam
108 and not profile.by_sender_email().any_messages_benign
109 )
110 )
111 and not profile.by_sender_email().any_messages_benign
112attack_types:
113 - "Credential Phishing"
114tactics_and_techniques:
115 - "Image as content"
116 - "Impersonation: Brand"
117detection_methods:
118 - "Content analysis"
119 - "Computer Vision"
120 - "Optical Character Recognition"
121 - "Sender analysis"
122 - "URL analysis"
123id: "1d7add81-9822-576a-bcae-c4440e75e393"