Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe (QR code)"
2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
3"
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (.file_type in $file_types_images or .file_type == "pdf")
11 and (
12 any(ml.logo_detect(.).brands,
13 .name == "Adobe" and .confidence in ("medium", "high")
14 )
15 or any(ml.logo_detect(beta.message_screenshot()).brands,
16 .name == "Adobe"
17 )
18 or any(file.explode(.),
19 any(.scan.strings.strings, regex.icontains(., "adobe (acrobat|sign)"))
20 )
21 )
22 )
23 or any(attachments,
24 .file_extension in $file_extensions_macros
25 and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
26 and any(file.explode(.),
27 any(.scan.strings.strings, strings.ilike(., "*adobe*"))
28 )
29 )
30 )
31 and any(attachments,
32 (
33 .file_type in $file_types_images
34 or .file_type == "pdf"
35 or .file_type in $file_extensions_macros
36 )
37 and (
38 any(file.explode(.),
39 regex.icontains(.scan.ocr.raw, 'scan|camera')
40 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
41 )
42 or (
43 any(file.explode(.),
44 .scan.qr.type == "url"
45 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
46 and any(recipients.to,
47 (
48 strings.icontains(..scan.qr.data, .email.email)
49 and (
50 .email.domain.valid
51 or strings.icontains(.display_name, "undisclosed")
52 )
53 )
54
55 // the recipients sld is in the senders display name
56 or any(recipients.to,
57 strings.icontains(sender.display_name,
58 .email.domain.sld
59 )
60 )
61
62 // the recipient local is in the body
63 or any(recipients.to,
64 strings.icontains(body.current_thread.text,
65 .email.local_part
66 )
67 )
68
69 // or the body is null
70 or body.current_thread.text is null
71 or body.current_thread.text == ""
72
73 // or the subject contains authentication/urgency verbiage
74 or regex.contains(subject.subject,
75 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
76 )
77
78 // high confidence cred theft in body
79 or any(ml.nlu_classifier(body.current_thread.text).intents,
80 .name == "cred_theft" and .confidence in ("high")
81 )
82 )
83 )
84 )
85 )
86 )
87 and (
88 not any(headers.hops,
89 .authentication_results.compauth.verdict is not null
90 and .authentication_results.compauth.verdict == "pass"
91 and sender.email.domain.root_domain in (
92 "acrobat.com",
93 "adobecc.com",
94 "adobecces.com",
95 "adobeccstatic.com",
96 "adobe.com",
97 "adobeexchange.com",
98 "adobe-identity.com",
99 "adobe.io",
100 "adobejanus.com",
101 "adobelogin.com",
102 "adobe.net",
103 "adobeprojectm.com",
104 "adoberesources.net",
105 "adobesc.com",
106 "adobesign.com",
107 "adobestock.com",
108 "createjs.com",
109 "licensingstack.com",
110 "myportfolio.com",
111 "photoshop.com",
112 "typekit.com",
113 "typekit.net"
114 )
115 )
116 )
117
118 // negate highly trusted sender domains unless they fail DMARC authentication
119 and (
120 (
121 sender.email.domain.root_domain in $high_trust_sender_root_domains
122 and not headers.auth_summary.dmarc.pass
123 )
124 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
125 )
126 and (
127 not profile.by_sender().solicited
128 or (
129 profile.by_sender().any_messages_malicious_or_spam
130 and not profile.by_sender().any_false_positives
131 )
132 )
133
134attack_types:
135 - "Credential Phishing"
136tactics_and_techniques:
137 - "Impersonation: Brand"
138 - "PDF"
139 - "QR code"
140detection_methods:
141 - "Computer Vision"
142 - "Header analysis"
143 - "QR code analysis"
144 - "Sender analysis"
145id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"