Brand impersonation: Adobe (QR code)

  1name: "Brand impersonation: Adobe (QR code)"
  2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
  3"
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and (
  9    any(attachments,
 10        (.file_type in $file_types_images or .file_type == "pdf")
 11        and (
 12          any(ml.logo_detect(.).brands,
 13              .name == "Adobe" and .confidence in ("medium", "high")
 14          )
 15          or any(ml.logo_detect(beta.message_screenshot()).brands,
 16                 .name == "Adobe"
 17          )
 18          or any(file.explode(.),
 19                 any(.scan.strings.strings,
 20                     regex.icontains(., "adobe (acrobat|sign)")
 21                     // negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
 22                     and not regex.icontains(.,
 23                                             "(creatortool|producer|creator).{1,5}adobe acrobat"
 24                     )
 25                 )
 26          )
 27        )
 28    )
 29    or any(attachments,
 30           .file_extension in $file_extensions_macros
 31           and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
 32           and any(file.explode(.),
 33                   any(.scan.strings.strings, strings.ilike(., "*adobe*"))
 34           )
 35    )
 36  )
 37  and any(attachments,
 38          (
 39            .file_type in $file_types_images
 40            or .file_type == "pdf"
 41            or .file_type in $file_extensions_macros
 42          )
 43          and (
 44            any(file.explode(.),
 45                regex.icontains(.scan.ocr.raw, 'scan|camera')
 46                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
 47            )
 48            or (
 49              any(file.explode(.),
 50                  .scan.qr.type == "url"
 51                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
 52                  and any(recipients.to,
 53                          (
 54                            strings.icontains(..scan.qr.data, .email.email)
 55                            and (
 56                              .email.domain.valid
 57                              or strings.icontains(.display_name, "undisclosed")
 58                            )
 59                          )
 60  
 61                          // the recipients sld is in the senders display name
 62                          or any(recipients.to,
 63                                 strings.icontains(sender.display_name,
 64                                                   .email.domain.sld
 65                                 )
 66                          )
 67  
 68                          // the recipient local is in the body  
 69                          or any(recipients.to,
 70                                 strings.icontains(body.current_thread.text,
 71                                                   .email.local_part
 72                                 )
 73                          )
 74  
 75                          // or the body is null 
 76                          or body.current_thread.text is null
 77                          or body.current_thread.text == ""
 78  
 79                          // or the subject contains authentication/urgency verbiage
 80                          or regex.contains(subject.subject,
 81                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
 82                          )
 83  
 84                          // high confidence cred theft in body
 85                          or any(ml.nlu_classifier(body.current_thread.text).intents,
 86                                 .name == "cred_theft" and .confidence in ("high")
 87                          )
 88                  )
 89              )
 90            )
 91          )
 92  )
 93  and (
 94    not any(headers.hops,
 95            .authentication_results.compauth.verdict is not null
 96            and .authentication_results.compauth.verdict == "pass"
 97            and sender.email.domain.root_domain in (
 98              "acrobat.com",
 99              "adobecc.com",
100              "adobecces.com",
101              "adobeccstatic.com",
102              "adobe.com",
103              "adobeexchange.com",
104              "adobe-identity.com",
105              "adobe.io",
106              "adobejanus.com",
107              "adobelogin.com",
108              "adobe.net",
109              "adobeprojectm.com",
110              "adoberesources.net",
111              "adobesc.com",
112              "adobesign.com",
113              "adobestock.com",
114              "createjs.com",
115              "licensingstack.com",
116              "myportfolio.com",
117              "photoshop.com",
118              "typekit.com",
119              "typekit.net"
120            )
121    )
122  )
123  
124  // negate highly trusted sender domains unless they fail DMARC authentication
125  and (
126    (
127      sender.email.domain.root_domain in $high_trust_sender_root_domains
128      and not headers.auth_summary.dmarc.pass
129    )
130    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
131  )
132  and (
133    not profile.by_sender().solicited
134    or (
135      profile.by_sender().any_messages_malicious_or_spam
136      and not profile.by_sender().any_false_positives
137    )
138  )
139    
140attack_types:
141  - "Credential Phishing"
142tactics_and_techniques:
143  - "Impersonation: Brand"
144  - "PDF"
145  - "QR code"
146detection_methods:
147  - "Computer Vision"
148  - "Header analysis"
149  - "QR code analysis"
150  - "Sender analysis"
151id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"