Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe (QR code)"
2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
3"
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (.file_type in $file_types_images or .file_type == "pdf")
11 and (
12 any(ml.logo_detect(.).brands,
13 .name == "Adobe" and .confidence in ("medium", "high")
14 )
15 or any(ml.logo_detect(file.message_screenshot()).brands,
16 .name == "Adobe"
17 )
18 or any(file.explode(.),
19 any(.scan.strings.strings,
20 regex.icontains(., "adobe (acrobat|sign)")
21 // negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
22 and not regex.icontains(.,
23 "(creatortool|producer|creator).{1,5}adobe acrobat"
24 )
25 )
26 )
27 )
28 )
29 or any(attachments,
30 .file_extension in $file_extensions_macros
31 and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
32 and any(file.explode(.),
33 any(.scan.strings.strings, strings.ilike(., "*adobe*"))
34 )
35 )
36 )
37 and any(attachments,
38 (
39 .file_type in $file_types_images
40 or .file_type == "pdf"
41 or .file_type in $file_extensions_macros
42 )
43 and (
44 any(file.explode(.),
45 regex.icontains(.scan.ocr.raw, 'scan|camera')
46 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
47 )
48 or (
49 any(file.explode(.),
50 .scan.qr.type == "url"
51 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
52 and any(recipients.to,
53 (
54 (
55 .email.domain.valid
56 and (
57 strings.icontains(..scan.qr.data, .email.email)
58 or any(beta.scan_base64(..scan.qr.data, format="url"),
59 strings.icontains(., ..email.email)
60 )
61 )
62 )
63 or strings.icontains(.display_name, "undisclosed")
64 )
65
66 // the recipients sld is in the senders display name
67 or any(recipients.to,
68 strings.icontains(sender.display_name,
69 .email.domain.sld
70 )
71 )
72
73 // the recipient local is in the body
74 or any(recipients.to,
75 strings.icontains(body.current_thread.text,
76 .email.local_part
77 )
78 )
79
80 // or the body is null
81 or body.current_thread.text is null
82 or body.current_thread.text == ""
83
84 // or the subject contains authentication/urgency verbiage
85 or regex.contains(subject.subject,
86 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
87 )
88
89 // high confidence cred theft in body
90 or any(ml.nlu_classifier(body.current_thread.text).intents,
91 .name == "cred_theft" and .confidence in ("high")
92 )
93 )
94 )
95 )
96 )
97 )
98 and (
99 not any(headers.hops,
100 .authentication_results.compauth.verdict is not null
101 and .authentication_results.compauth.verdict == "pass"
102 and sender.email.domain.root_domain in (
103 "acrobat.com",
104 "adobecc.com",
105 "adobecces.com",
106 "adobeccstatic.com",
107 "adobe.com",
108 "adobeexchange.com",
109 "adobe-identity.com",
110 "adobe.io",
111 "adobejanus.com",
112 "adobelogin.com",
113 "adobe.net",
114 "adobeprojectm.com",
115 "adoberesources.net",
116 "adobesc.com",
117 "adobesign.com",
118 "adobestock.com",
119 "createjs.com",
120 "licensingstack.com",
121 "myportfolio.com",
122 "photoshop.com",
123 "typekit.com",
124 "typekit.net"
125 )
126 )
127 )
128
129 // negate highly trusted sender domains unless they fail DMARC authentication
130 and (
131 (
132 sender.email.domain.root_domain in $high_trust_sender_root_domains
133 and not headers.auth_summary.dmarc.pass
134 )
135 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
136 )
137 and (
138 not profile.by_sender().solicited
139 or (
140 profile.by_sender().any_messages_malicious_or_spam
141 and not profile.by_sender().any_messages_benign
142 )
143 )
144attack_types:
145 - "Credential Phishing"
146tactics_and_techniques:
147 - "Impersonation: Brand"
148 - "PDF"
149 - "QR code"
150detection_methods:
151 - "Computer Vision"
152 - "Header analysis"
153 - "QR code analysis"
154 - "Sender analysis"
155id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"