Attachment: Adobe image lure in body or attachment with suspicious link

calendar Jun 12, 2024  ·
Share on: linkedin copy

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

Sublime rule (View on GitHub)

 1name: "Attachment: Adobe image lure in body or attachment with suspicious link"
 2description: "Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(filter(attachments, .file_type not in $file_types_images)) == 0
 9    or length(filter(attachments, .file_type != "pdf")) == 0
10  )
11  and (
12    any(file.explode(beta.message_screenshot()),
13        any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
14        and 0 < length(body.links) < 10
15        and any(body.links, .display_text is null)
16        and (
17          length(filter(body.links,
18                        (
19                          .display_text is null
20                          and .display_url.url == sender.email.domain.root_domain
21                        )
22                        or .href_url.domain.root_domain in (
23                          "aka.ms",
24                          "mimecast.com",
25                          "cisco.com"
26                        )
27                 )
28          ) != length(body.links)
29        )
30    )
31    or any(attachments,
32            any(ml.logo_detect(.).brands,
33                   .name == "Adobe"
34                   and .confidence in ("medium", "high")
35                   and any(file.explode(..),
36                           (
37                             length(.scan.url.urls) > 0
38                             or length(.scan.pdf.urls) > 0
39                             or length(body.links) > 0
40                           )
41                   )
42           )
43    )
44  )
45  and (
46    (
47      (
48        length(headers.references) > 0
49        or not any(headers.hops,
50                   any(.fields, strings.ilike(.name, "In-Reply-To"))
51        )
52      )
53      and not (
54        (
55          strings.istarts_with(subject.subject, "RE:")
56          or strings.istarts_with(subject.subject, "RES:")
57          or strings.istarts_with(subject.subject, "R:")
58          or strings.istarts_with(subject.subject, "ODG:")
59          or strings.istarts_with(subject.subject, "答复:")
60          or strings.istarts_with(subject.subject, "AW:")
61          or strings.istarts_with(subject.subject, "TR:")
62          or strings.istarts_with(subject.subject, "FWD:")
63          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
64        )
65      )
66    )
67    or length(headers.references) == 0
68  )
69  // negate highly trusted sender domains unless they fail DMARC authentication
70  and (
71    (
72      sender.email.domain.root_domain in $high_trust_sender_root_domains
73      and not headers.auth_summary.dmarc.pass
74    )
75    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76  )
77  and (
78    not profile.by_sender().solicited
79    or (
80      profile.by_sender().any_messages_malicious_or_spam
81      and not profile.by_sender().any_false_positives
82    )
83  )
84  and not profile.by_sender().any_false_positives  
85
86attack_types:
87  - "Malware/Ransomware"
88tactics_and_techniques:
89  - "Image as content"
90  - "Impersonation: Brand"
91detection_methods:
92  - "Content analysis"
93  - "Computer Vision"
94  - "Optical Character Recognition"
95  - "Sender analysis"
96  - "URL analysis"
97id: "1d7add81-9822-576a-bcae-c4440e75e393"
to-top