Attachment: Adobe image lure with suspicious link
Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language.
Sublime rule (View on GitHub)
1name: "Attachment: Adobe image lure with suspicious link"
2description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 length(filter(attachments, .file_type not in $file_types_images)) == 0
9 or length(filter(attachments, .file_type != "pdf")) == 0
10 )
11 and any(body.links, .display_text is null)
12 and (
13 length(filter(body.links,
14 (
15 .display_text is null
16 and .display_url.url == sender.email.domain.root_domain
17 )
18 or .href_url.domain.root_domain in (
19 "aka.ms",
20 "mimecast.com",
21 "cisco.com"
22 )
23 )
24 ) != length(body.links)
25 )
26 and (
27 any(file.explode(beta.message_screenshot()),
28 any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
29 and 0 < length(body.links) < 10
30 )
31 or any(attachments,
32 any(ml.logo_detect(.).brands,
33 .name == "Adobe"
34 and .confidence in ("medium", "high")
35 and any(file.explode(..),
36 (
37 length(.scan.url.urls) > 0
38 or length(.scan.pdf.urls) > 0
39 or length(body.links) > 0
40 )
41 )
42 )
43 )
44 )
45
46 // negate highly trusted sender domains unless they fail DMARC authentication
47 and (
48 (
49 sender.email.domain.root_domain in $high_trust_sender_root_domains
50 and not headers.auth_summary.dmarc.pass
51 )
52 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
53 )
54
55 and (
56 not profile.by_sender().solicited
57 or (
58 profile.by_sender().any_messages_malicious_or_spam
59 and not profile.by_sender().any_false_positives
60 )
61 )
62 and not profile.by_sender().any_false_positives
63
64attack_types:
65 - "Malware/Ransomware"
66tactics_and_techniques:
67 - "Image as content"
68 - "Impersonation: Brand"
69detection_methods:
70 - "Content analysis"
71 - "Computer Vision"
72 - "Optical Character Recognition"
73 - "Sender analysis"
74 - "URL analysis"
75id: "1d7add81-9822-576a-bcae-c4440e75e393"