Attachment: Adobe Sign lure PDF with embedded banner images

calendar Jun 3, 2026  ·
Share on: linkedin copy

Detects inbound messages containing PDF attachments that contain embedded banner images mimicking Adobe Sign branding, commonly used to deceive recipients into believing the document is legitimate.

Sublime rule (View on GitHub)

 1name: "Attachment: Adobe Sign lure PDF with embedded banner images"
 2description: "Detects inbound messages containing PDF attachments that contain embedded banner images mimicking Adobe Sign branding, commonly used to deceive recipients into believing the document is legitimate."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches, .name == 'adobe_sign_lure_banner_images')
10          )
11  )  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "PDF"
16  - "Impersonation: Brand"
17detection_methods:
18  - "File analysis"
19  - "YARA"
20id: "f27f40ff-3349-50a6-ade3-182b069775c2"
to-top