Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe (QR code)"
2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
3"
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (.file_type in $file_types_images or .file_type == "pdf")
10 and (
11 any(ml.logo_detect(.).brands,
12 .name == "Adobe" and .confidence in ("medium", "high")
13 )
14 or any(ml.logo_detect(beta.message_screenshot()).brands,
15 .name == "Adobe"
16 )
17 )
18 )
19 and any(attachments,
20 (
21 .file_type in $file_types_images
22 or .file_type == "pdf"
23 or .file_type in $file_extensions_macros
24 )
25 and (
26 any(file.explode(.),
27 regex.icontains(.scan.ocr.raw, 'scan|camera')
28 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
29 )
30 or (
31 any(file.explode(.),
32 .scan.qr.type == "url"
33 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
34 and any(recipients.to,
35 strings.icontains(..scan.qr.data, .email.email)
36
37 // the recipients sld is in the senders display name
38 or any(recipients.to,
39 strings.icontains(sender.display_name,
40 .email.domain.sld
41 )
42 )
43
44 // the recipient local is in the body
45 or any(recipients.to,
46 strings.icontains(body.current_thread.text,
47 .email.local_part
48 )
49 )
50
51 // or the body is null
52 or body.current_thread.text is null
53 or body.current_thread.text == ""
54
55 // or the subject contains authentication/urgency verbiage
56 or regex.contains(subject.subject,
57 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
58 )
59 )
60 )
61 )
62 )
63 )
64 and (
65 not any(headers.hops,
66 .authentication_results.compauth.verdict is not null
67 and .authentication_results.compauth.verdict == "pass"
68 and sender.email.domain.root_domain in (
69 "acrobat.com",
70 "adobecc.com",
71 "adobecces.com",
72 "adobeccstatic.com",
73 "adobe.com",
74 "adobeexchange.com",
75 "adobe-identity.com",
76 "adobe.io",
77 "adobejanus.com",
78 "adobelogin.com",
79 "adobe.net",
80 "adobeprojectm.com",
81 "adoberesources.net",
82 "adobesc.com",
83 "adobesign.com",
84 "adobestock.com",
85 "createjs.com",
86 "licensingstack.com",
87 "myportfolio.com",
88 "photoshop.com",
89 "typekit.com",
90 "typekit.net"
91 )
92 )
93 )
94
95 // negate highly trusted sender domains unless they fail DMARC authentication
96 and (
97 (
98 sender.email.domain.root_domain in $high_trust_sender_root_domains
99 and (
100 any(distinct(headers.hops, .authentication_results.dmarc is not null),
101 strings.ilike(.authentication_results.dmarc, "*fail")
102 )
103 )
104 )
105 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
106 )
107
108 and (
109 not profile.by_sender().solicited
110 or (
111 profile.by_sender().any_messages_malicious_or_spam
112 and not profile.by_sender().any_false_positives
113 )
114 )
115
116attack_types:
117 - "Credential Phishing"
118tactics_and_techniques:
119 - "Impersonation: Brand"
120 - "PDF"
121 - "QR code"
122detection_methods:
123 - "Computer Vision"
124 - "Header analysis"
125 - "QR code analysis"
126 - "Sender analysis"
127id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"