Attachment: Adobe image lure in body or attachment with suspicious link

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

Sublime rule (View on GitHub)

 1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
 2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(filter(attachments, .file_type not in $file_types_images)) == 0
 9    or length(filter(attachments, .file_type != "pdf")) == 0
10  )
11  and (
12    any(file.explode(beta.message_screenshot()),
13        any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
14        and 0 < length(body.links) < 10
15        and any(body.links, .display_text is null)
16        and (
17          length(filter(body.links,
18                        (
19                          .display_text is null
20                          and .display_url.url == sender.email.domain.root_domain
21                        )
22                        or .href_url.domain.root_domain in (
23                          "aka.ms",
24                          "mimecast.com",
25                          "mimecastprotect.com",
26                          "cisco.com"
27                        )
28                 )
29          ) != length(body.links)
30        )
31    )
32    or any(attachments,
33            any(ml.logo_detect(.).brands,
34                   .name == "Adobe"
35                   and .confidence in ("medium", "high")
36                   and any(file.explode(..),
37                           (
38                             length(.scan.url.urls) > 0
39                             or length(.scan.pdf.urls) > 0
40                             or length(body.links) > 0
41                           )
42                   )
43           )
44    )
45  )
46  and (
47    (
48      (
49        length(headers.references) > 0
50        or not any(headers.hops,
51                   any(.fields, strings.ilike(.name, "In-Reply-To"))
52        )
53      )
54      and not (
55        (
56          strings.istarts_with(subject.subject, "RE:")
57          or strings.istarts_with(subject.subject, "RES:")
58          or strings.istarts_with(subject.subject, "R:")
59          or strings.istarts_with(subject.subject, "ODG:")
60          or strings.istarts_with(subject.subject, "答复:")
61          or strings.istarts_with(subject.subject, "AW:")
62          or strings.istarts_with(subject.subject, "TR:")
63          or strings.istarts_with(subject.subject, "FWD:")
64          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
65        )
66      )
67    )
68    or length(headers.references) == 0
69  )
70  // negate highly trusted sender domains unless they fail DMARC authentication
71  and (
72    (
73      sender.email.domain.root_domain in $high_trust_sender_root_domains
74      and not headers.auth_summary.dmarc.pass
75    )
76    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
77  )
78  and (
79    not profile.by_sender().solicited
80    or (
81      profile.by_sender().any_messages_malicious_or_spam
82      and not profile.by_sender().any_false_positives
83    )
84  )
85  and not profile.by_sender().any_false_positives  
86
87attack_types:
88  - "Malware/Ransomware"
89tactics_and_techniques:
90  - "Image as content"
91  - "Impersonation: Brand"
92detection_methods:
93  - "Content analysis"
94  - "Computer Vision"
95  - "Optical Character Recognition"
96  - "Sender analysis"
97  - "URL analysis"
98id: "1d7add81-9822-576a-bcae-c4440e75e393"
to-top