Brand impersonation: Adobe (QR code)

Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Adobe (QR code)"
  2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
  3"
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and (
  9    any(attachments,
 10        (.file_type in $file_types_images or .file_type == "pdf")
 11        and (
 12          any(ml.logo_detect(.).brands,
 13              .name == "Adobe" and .confidence in ("medium", "high")
 14          )
 15          or any(ml.logo_detect(beta.message_screenshot()).brands,
 16                 .name == "Adobe"
 17          )
 18          or any(file.explode(.),
 19                 any(.scan.strings.strings,
 20                     regex.icontains(., "adobe (acrobat|sign)")
 21                     // negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
 22                     and not regex.icontains(.,
 23                                             "(creatortool|producer|creator).{1,5}adobe acrobat"
 24                     )
 25                 )
 26          )
 27        )
 28    )
 29    or any(attachments,
 30           .file_extension in $file_extensions_macros
 31           and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
 32           and any(file.explode(.),
 33                   any(.scan.strings.strings, strings.ilike(., "*adobe*"))
 34           )
 35    )
 36  )
 37  and any(attachments,
 38          (
 39            .file_type in $file_types_images
 40            or .file_type == "pdf"
 41            or .file_type in $file_extensions_macros
 42          )
 43          and (
 44            any(file.explode(.),
 45                regex.icontains(.scan.ocr.raw, 'scan|camera')
 46                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
 47            )
 48            or (
 49              any(file.explode(.),
 50                  .scan.qr.type == "url"
 51                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
 52                  and any(recipients.to,
 53                          (
 54                            (
 55                              .email.domain.valid
 56                              and (
 57                                strings.icontains(..scan.qr.data, .email.email)
 58                                or any(beta.scan_base64(..scan.qr.data, format="url"),
 59                                       strings.icontains(., ..email.email)
 60                                )
 61                              )
 62                            )
 63                            or strings.icontains(.display_name, "undisclosed")
 64                          )
 65  
 66                          // the recipients sld is in the senders display name
 67                          or any(recipients.to,
 68                                 strings.icontains(sender.display_name,
 69                                                   .email.domain.sld
 70                                 )
 71                          )
 72  
 73                          // the recipient local is in the body  
 74                          or any(recipients.to,
 75                                 strings.icontains(body.current_thread.text,
 76                                                   .email.local_part
 77                                 )
 78                          )
 79  
 80                          // or the body is null 
 81                          or body.current_thread.text is null
 82                          or body.current_thread.text == ""
 83  
 84                          // or the subject contains authentication/urgency verbiage
 85                          or regex.contains(subject.subject,
 86                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
 87                          )
 88  
 89                          // high confidence cred theft in body
 90                          or any(ml.nlu_classifier(body.current_thread.text).intents,
 91                                 .name == "cred_theft" and .confidence in ("high")
 92                          )
 93                  )
 94              )
 95            )
 96          )
 97  )
 98  and (
 99    not any(headers.hops,
100            .authentication_results.compauth.verdict is not null
101            and .authentication_results.compauth.verdict == "pass"
102            and sender.email.domain.root_domain in (
103              "acrobat.com",
104              "adobecc.com",
105              "adobecces.com",
106              "adobeccstatic.com",
107              "adobe.com",
108              "adobeexchange.com",
109              "adobe-identity.com",
110              "adobe.io",
111              "adobejanus.com",
112              "adobelogin.com",
113              "adobe.net",
114              "adobeprojectm.com",
115              "adoberesources.net",
116              "adobesc.com",
117              "adobesign.com",
118              "adobestock.com",
119              "createjs.com",
120              "licensingstack.com",
121              "myportfolio.com",
122              "photoshop.com",
123              "typekit.com",
124              "typekit.net"
125            )
126    )
127  )
128  
129  // negate highly trusted sender domains unless they fail DMARC authentication
130  and (
131    (
132      sender.email.domain.root_domain in $high_trust_sender_root_domains
133      and not headers.auth_summary.dmarc.pass
134    )
135    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
136  )
137  and (
138    not profile.by_sender().solicited
139    or (
140      profile.by_sender().any_messages_malicious_or_spam
141      and not profile.by_sender().any_messages_benign
142    )
143  )  
144attack_types:
145  - "Credential Phishing"
146tactics_and_techniques:
147  - "Impersonation: Brand"
148  - "PDF"
149  - "QR code"
150detection_methods:
151  - "Computer Vision"
152  - "Header analysis"
153  - "QR code analysis"
154  - "Sender analysis"
155id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"
to-top