Attachment: Adobe image lure with suspicious link from first time sender

 1name: "Attachment: Adobe image lure with suspicious link from first time sender"
 2description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 8  and length(body.links) > 0
 9  and all(body.links, .display_text is null)
10  and any(attachments,
11          any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high"))
12          and any(file.explode(.),
13                  strings.ilike(.scan.ocr.raw,
14                                "*review*",
15                                "*sign*",
16                                "*view*",
17                                "*completed document*",
18                                "*open agreement*"
19                  )
20          )
21  )
22  and (
23    (
24      sender.email.domain.root_domain in $free_email_providers
25      and sender.email.email not in $sender_emails
26    )
27    or (
28      sender.email.domain.root_domain not in $free_email_providers
29      and sender.email.domain.domain not in $sender_domains
30    )
31  )  
32attack_types:
33  - "Malware/Ransomware"
34tactics_and_techniques:
35  - "Image as content"
36  - "Impersonation: Brand"
37detection_methods:
38  - "Content analysis"
39  - "Computer Vision"
40  - "Optical Character Recognition"
41  - "Sender analysis"
42  - "URL analysis"
43id: "1d7add81-9822-576a-bcae-c4440e75e393"