Brand impersonation: Adobe (QR code)

Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Adobe (QR code)"
  2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
  3"
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and (
  9    any(attachments,
 10        (.file_type in $file_types_images or .file_type == "pdf")
 11        and (
 12          any(ml.logo_detect(.).brands,
 13              .name == "Adobe" and .confidence in ("medium", "high")
 14          )
 15          or any(ml.logo_detect(beta.message_screenshot()).brands,
 16                 .name == "Adobe"
 17          )
 18        )
 19    )
 20    or any(attachments,
 21           .file_extension in $file_extensions_macros
 22           and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
 23           and any(file.explode(.),
 24                   any(.scan.strings.strings, strings.ilike(., "*adobe*"))
 25           )
 26    )
 27  )
 28  and any(attachments,
 29          (
 30            .file_type in $file_types_images
 31            or .file_type == "pdf"
 32            or .file_type in $file_extensions_macros
 33          )
 34          and (
 35            any(file.explode(.),
 36                regex.icontains(.scan.ocr.raw, 'scan|camera')
 37                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
 38            )
 39            or (
 40              any(file.explode(.),
 41                  .scan.qr.type == "url"
 42                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
 43                  and any(recipients.to,
 44                          (
 45                            strings.icontains(..scan.qr.data, .email.email)
 46                            and (
 47                              .email.domain.valid
 48                              or strings.icontains(.display_name, "undisclosed")
 49                            )
 50                          )
 51  
 52                          // the recipients sld is in the senders display name
 53                          or any(recipients.to,
 54                                 strings.icontains(sender.display_name,
 55                                                   .email.domain.sld
 56                                 )
 57                          )
 58  
 59                          // the recipient local is in the body  
 60                          or any(recipients.to,
 61                                 strings.icontains(body.current_thread.text,
 62                                                   .email.local_part
 63                                 )
 64                          )
 65  
 66                          // or the body is null 
 67                          or body.current_thread.text is null
 68                          or body.current_thread.text == ""
 69  
 70                          // or the subject contains authentication/urgency verbiage
 71                          or regex.contains(subject.subject,
 72                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
 73                          )
 74  
 75                          // high confidence cred theft in body
 76                          or any(ml.nlu_classifier(body.current_thread.text).intents,
 77                                 .name == "cred_theft" and .confidence in ("high")
 78                          )
 79                  )
 80              )
 81            )
 82          )
 83  )
 84  and (
 85    not any(headers.hops,
 86            .authentication_results.compauth.verdict is not null
 87            and .authentication_results.compauth.verdict == "pass"
 88            and sender.email.domain.root_domain in (
 89              "acrobat.com",
 90              "adobecc.com",
 91              "adobecces.com",
 92              "adobeccstatic.com",
 93              "adobe.com",
 94              "adobeexchange.com",
 95              "adobe-identity.com",
 96              "adobe.io",
 97              "adobejanus.com",
 98              "adobelogin.com",
 99              "adobe.net",
100              "adobeprojectm.com",
101              "adoberesources.net",
102              "adobesc.com",
103              "adobesign.com",
104              "adobestock.com",
105              "createjs.com",
106              "licensingstack.com",
107              "myportfolio.com",
108              "photoshop.com",
109              "typekit.com",
110              "typekit.net"
111            )
112    )
113  )
114  
115  // negate highly trusted sender domains unless they fail DMARC authentication
116  and (
117    (
118      sender.email.domain.root_domain in $high_trust_sender_root_domains
119      and not headers.auth_summary.dmarc.pass
120    )
121    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
122  )
123  and (
124    not profile.by_sender().solicited
125    or (
126      profile.by_sender().any_messages_malicious_or_spam
127      and not profile.by_sender().any_false_positives
128    )
129  )
130    
131attack_types:
132  - "Credential Phishing"
133tactics_and_techniques:
134  - "Impersonation: Brand"
135  - "PDF"
136  - "QR code"
137detection_methods:
138  - "Computer Vision"
139  - "Header analysis"
140  - "QR code analysis"
141  - "Sender analysis"
142id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"
to-top