Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe (QR code)"
2description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
3"
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (.file_type in $file_types_images or .file_type == "pdf")
11 and (
12 any(ml.logo_detect(.).brands,
13 .name == "Adobe" and .confidence in ("medium", "high")
14 )
15 or any(ml.logo_detect(beta.message_screenshot()).brands,
16 .name == "Adobe"
17 )
18 )
19 )
20 or any(attachments,
21 .file_extension in $file_extensions_macros
22 and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
23 and any(file.explode(.),
24 any(.scan.strings.strings, strings.ilike(., "*adobe*"))
25 )
26 )
27 )
28 and any(attachments,
29 (
30 .file_type in $file_types_images
31 or .file_type == "pdf"
32 or .file_type in $file_extensions_macros
33 )
34 and (
35 any(file.explode(.),
36 regex.icontains(.scan.ocr.raw, 'scan|camera')
37 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
38 )
39 or (
40 any(file.explode(.),
41 .scan.qr.type == "url"
42 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
43 and any(recipients.to,
44 (
45 strings.icontains(..scan.qr.data, .email.email)
46 and (
47 .email.domain.valid
48 or strings.icontains(.display_name, "undisclosed")
49 )
50 )
51
52 // the recipients sld is in the senders display name
53 or any(recipients.to,
54 strings.icontains(sender.display_name,
55 .email.domain.sld
56 )
57 )
58
59 // the recipient local is in the body
60 or any(recipients.to,
61 strings.icontains(body.current_thread.text,
62 .email.local_part
63 )
64 )
65
66 // or the body is null
67 or body.current_thread.text is null
68 or body.current_thread.text == ""
69
70 // or the subject contains authentication/urgency verbiage
71 or regex.contains(subject.subject,
72 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
73 )
74
75 // high confidence cred theft in body
76 or any(ml.nlu_classifier(body.current_thread.text).intents,
77 .name == "cred_theft" and .confidence in ("high")
78 )
79 )
80 )
81 )
82 )
83 )
84 and (
85 not any(headers.hops,
86 .authentication_results.compauth.verdict is not null
87 and .authentication_results.compauth.verdict == "pass"
88 and sender.email.domain.root_domain in (
89 "acrobat.com",
90 "adobecc.com",
91 "adobecces.com",
92 "adobeccstatic.com",
93 "adobe.com",
94 "adobeexchange.com",
95 "adobe-identity.com",
96 "adobe.io",
97 "adobejanus.com",
98 "adobelogin.com",
99 "adobe.net",
100 "adobeprojectm.com",
101 "adoberesources.net",
102 "adobesc.com",
103 "adobesign.com",
104 "adobestock.com",
105 "createjs.com",
106 "licensingstack.com",
107 "myportfolio.com",
108 "photoshop.com",
109 "typekit.com",
110 "typekit.net"
111 )
112 )
113 )
114
115 // negate highly trusted sender domains unless they fail DMARC authentication
116 and (
117 (
118 sender.email.domain.root_domain in $high_trust_sender_root_domains
119 and not headers.auth_summary.dmarc.pass
120 )
121 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
122 )
123 and (
124 not profile.by_sender().solicited
125 or (
126 profile.by_sender().any_messages_malicious_or_spam
127 and not profile.by_sender().any_false_positives
128 )
129 )
130
131attack_types:
132 - "Credential Phishing"
133tactics_and_techniques:
134 - "Impersonation: Brand"
135 - "PDF"
136 - "QR code"
137detection_methods:
138 - "Computer Vision"
139 - "Header analysis"
140 - "QR code analysis"
141 - "Sender analysis"
142id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"