Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe (QR code)"
2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (.file_type in $file_types_images or .file_type == "pdf")
10 and (
11 any(ml.logo_detect(.).brands,
12 .name == "Adobe" and .confidence in ("medium", "high")
13 )
14 or any(ml.logo_detect(file.message_screenshot()).brands,
15 .name == "Adobe"
16 )
17 or any(file.explode(.),
18 any(.scan.strings.strings,
19 regex.icontains(., "adobe (acrobat|sign)")
20 // negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
21 and not regex.icontains(.,
22 "(creatortool|producer|creator).{1,5}adobe acrobat"
23 )
24 )
25 )
26 )
27 )
28 or any(attachments,
29 .file_extension in $file_extensions_macros
30 and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
31 and any(file.explode(.),
32 any(.scan.strings.strings, strings.ilike(., "*adobe*"))
33 )
34 )
35 )
36 and any(attachments,
37 (
38 .file_type in $file_types_images
39 or .file_type == "pdf"
40 or .file_type in $file_extensions_macros
41 )
42 and (
43 any(file.explode(.),
44 regex.icontains(.scan.ocr.raw, 'scan|camera')
45 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
46 )
47 or (
48 any(file.explode(.),
49 .scan.qr.type == "url"
50 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
51 and any(recipients.to,
52 (
53 (
54 .email.domain.valid
55 and (
56 strings.icontains(..scan.qr.data, .email.email)
57 or any(beta.scan_base64(..scan.qr.data, format="url"),
58 strings.icontains(., ..email.email)
59 )
60 )
61 )
62 or strings.icontains(.display_name, "undisclosed")
63 )
64
65 // the recipients sld is in the senders display name
66 or any(recipients.to,
67 strings.icontains(sender.display_name,
68 .email.domain.sld
69 )
70 )
71
72 // the recipient local is in the body
73 or any(recipients.to,
74 strings.icontains(body.current_thread.text,
75 .email.local_part
76 )
77 )
78
79 // or the body is null
80 or body.current_thread.text is null
81 or body.current_thread.text == ""
82
83 // or the subject contains authentication/urgency verbiage
84 or regex.contains(subject.subject,
85 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
86 )
87
88 // high confidence cred theft in body
89 or any(ml.nlu_classifier(body.current_thread.text).intents,
90 .name == "cred_theft" and .confidence in ("high")
91 )
92 )
93 )
94 )
95 )
96 )
97 and (
98 not any(headers.hops,
99 .authentication_results.compauth.verdict is not null
100 and .authentication_results.compauth.verdict == "pass"
101 and sender.email.domain.root_domain in (
102 "acrobat.com",
103 "adobecc.com",
104 "adobecces.com",
105 "adobeccstatic.com",
106 "adobe.com",
107 "adobeexchange.com",
108 "adobe-identity.com",
109 "adobe.io",
110 "adobejanus.com",
111 "adobelogin.com",
112 "adobe.net",
113 "adobeprojectm.com",
114 "adoberesources.net",
115 "adobesc.com",
116 "adobesign.com",
117 "adobestock.com",
118 "createjs.com",
119 "licensingstack.com",
120 "myportfolio.com",
121 "photoshop.com",
122 "typekit.com",
123 "typekit.net"
124 )
125 )
126 )
127
128 // negate highly trusted sender domains unless they fail DMARC authentication
129 and (
130 (
131 sender.email.domain.root_domain in $high_trust_sender_root_domains
132 and not headers.auth_summary.dmarc.pass
133 )
134 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
135 )
136 and (
137 not profile.by_sender().solicited
138 or (
139 profile.by_sender().any_messages_malicious_or_spam
140 and not profile.by_sender().any_messages_benign
141 )
142 )
143attack_types:
144 - "Credential Phishing"
145tactics_and_techniques:
146 - "Impersonation: Brand"
147 - "PDF"
148 - "QR code"
149detection_methods:
150 - "Computer Vision"
151 - "Header analysis"
152 - "QR code analysis"
153 - "Sender analysis"
154id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"