Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe (QR code)"
2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (.file_type in $file_types_images or .file_type == "pdf")
10 and (
11 any(ml.logo_detect(.).brands,
12 .name == "Adobe" and .confidence in ("medium", "high")
13 )
14 or any(ml.logo_detect(file.message_screenshot()).brands,
15 .name == "Adobe"
16 )
17 or any(file.explode(.),
18 any(.scan.strings.strings,
19 regex.icontains(., "adobe (acrobat|sign)")
20 // negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
21 and not regex.icontains(.,
22 "(creatortool|producer|creator).{1,5}adobe acrobat"
23 )
24 )
25 )
26 )
27 )
28 or any(attachments,
29 .file_extension in $file_extensions_macros
30 and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
31 and any(file.explode(.),
32 any(.scan.strings.strings, strings.ilike(., "*adobe*"))
33 )
34 )
35 )
36 and any(attachments,
37 (
38 .file_type in $file_types_images
39 or .file_type == "pdf"
40 or .file_type in $file_extensions_macros
41 )
42 and (
43 any(file.explode(.),
44 regex.icontains(.scan.ocr.raw, 'scan|camera')
45 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
46 )
47 or (
48 any(file.explode(.),
49 .scan.qr.type == "url"
50 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
51 and any(recipients.to,
52 (
53 (
54 .email.domain.valid
55 and (
56 strings.icontains(..scan.qr.data, .email.email)
57 or any(beta.scan_base64(..scan.qr.data,
58 format="url"
59 ),
60 strings.icontains(., ..email.email)
61 )
62 )
63 )
64 or strings.icontains(.display_name, "undisclosed")
65 )
66
67 // the recipients sld is in the senders display name
68 or any(recipients.to,
69 strings.icontains(sender.display_name,
70 .email.domain.sld
71 )
72 )
73
74 // the recipient local is in the body
75 or any(recipients.to,
76 strings.icontains(body.current_thread.text,
77 .email.local_part
78 )
79 )
80
81 // or the body is null
82 or body.current_thread.text is null
83 or body.current_thread.text == ""
84
85 // or the subject contains authentication/urgency verbiage
86 or regex.contains(subject.subject,
87 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
88 )
89
90 // high confidence cred theft in body
91 or any(ml.nlu_classifier(body.current_thread.text).intents,
92 .name == "cred_theft" and .confidence in ("high")
93 )
94 )
95 )
96 )
97 )
98 )
99 and (
100 not any(headers.hops,
101 .authentication_results.compauth.verdict is not null
102 and .authentication_results.compauth.verdict == "pass"
103 and sender.email.domain.root_domain in (
104 "acrobat.com",
105 "adobecc.com",
106 "adobecces.com",
107 "adobeccstatic.com",
108 "adobe.com",
109 "adobeexchange.com",
110 "adobe-identity.com",
111 "adobe.io",
112 "adobejanus.com",
113 "adobelogin.com",
114 "adobe.net",
115 "adobeprojectm.com",
116 "adoberesources.net",
117 "adobesc.com",
118 "adobesign.com",
119 "adobestock.com",
120 "createjs.com",
121 "licensingstack.com",
122 "myportfolio.com",
123 "photoshop.com",
124 "typekit.com",
125 "typekit.net"
126 )
127 )
128 )
129
130 // negate highly trusted sender domains unless they fail DMARC authentication
131 and (
132 (
133 sender.email.domain.root_domain in $high_trust_sender_root_domains
134 and not headers.auth_summary.dmarc.pass
135 )
136 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
137 )
138 and (
139 not profile.by_sender().solicited
140 or (
141 profile.by_sender().any_messages_malicious_or_spam
142 and not profile.by_sender().any_messages_benign
143 )
144 )
145attack_types:
146 - "Credential Phishing"
147tactics_and_techniques:
148 - "Impersonation: Brand"
149 - "PDF"
150 - "QR code"
151detection_methods:
152 - "Computer Vision"
153 - "Header analysis"
154 - "QR code analysis"
155 - "Sender analysis"
156id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"