Brand impersonation: Adobe Sign with suspicious indicators
Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe Sign with suspicious indicators"
2description: "Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(filter(attachments, .file_type == "pdf")) == 0
8 and (
9 regex.icontains(body.html.raw,
10 'alt="Adobe Acrobat Sign"',
11 "adobe-sign-logo.{0,20}.png",
12 'alt="Powered by Adobe Acrobat Sign"'
13 )
14 or any(html.xpath(body.html, "//img/@src").nodes,
15 strings.parse_url(.raw).domain.root_domain == "adobesign.com"
16 and (
17 strings.istarts_with(strings.parse_url(.raw).path, "/cobrand_logo/")
18 or strings.icontains(strings.parse_url(.raw).path, "checkmarkCircle")
19 )
20 )
21 )
22 and not (
23 // inspect the "oldest" thread, negate where that thread is the original Adobe Sign email (based on link domains)
24 (
25 length(body.previous_threads[length(body.previous_threads) - 1].links) > 0
26 and all(body.previous_threads[length(body.previous_threads) - 1].links,
27 .href_url.domain.root_domain in (
28 "aka.ms",
29 "adobe.com",
30 "adobesign.com",
31 "echosign.com",
32 "adobesignsandbox.com",
33 "mimecastprotect.com",
34 "mimecast.com"
35 )
36 or .href_url.domain.root_domain in $org_domains
37 or .href_url.domain.root_domain == sender.email.domain.root_domain
38 or any(recipients.to,
39 .email.domain.root_domain == ..href_url.domain.root_domain
40 )
41 )
42 )
43 // legit review button
44 or any(body.links,
45 .display_text in (
46 "Review and sign",
47 "the document",
48 "Open agreement",
49 "VIEW DOCUMENTS",
50 "Click here to review and sign"
51 )
52 and (
53 .href_url.domain.root_domain in (
54 "adobe.com",
55 "adobesign.com",
56 "echosign.com",
57 "adobesignsandbox.com",
58 )
59 // Mimecast link logic
60 or (
61 .href_url.domain.root_domain in (
62 "mimecastprotect.com",
63 "mimecast.com"
64 )
65 and any(.href_url.query_params_decoded['domain'],
66 strings.parse_domain(.).root_domain in (
67 "adobe.com",
68 "adobesign.com",
69 "echosign.com",
70 "adobesignsandbox.com",
71 )
72 )
73 )
74 )
75 )
76 // accidental recipient
77 or any(recipients.to, .email.email == "adobesign@adobesign.com")
78 // known Adobe Sign messaage ID formats
79 or (
80 (length(headers.references) > 1 or length(body.previous_threads) != 0)
81 and regex.imatch(headers.references[0],
82 '[0-9]{9,10}\.[0-9]{4,6}\.[0-9]{13}@event-consumer-prod-[a-z]-[a-z0-9]{7,10}-[a-z0-9]{5}',
83 '[0-9]{8,10}\.[0-9]{5,7}\.[0-9]{13}@(webapp|job)-prod-.*$',
84 '[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}-APO-PRODHIPAA@apo-p-h'
85 )
86 )
87 // negate Adobe Sign messages from custom domains
88 or any(headers.hops,
89 any(.fields, .name in ("Adobesigneventid", "Agreementid"))
90 )
91 )
92 and not (
93 sender.email.domain.root_domain in (
94 "adobe.com",
95 "adobesign.com",
96 "adobesignsandbox.com",
97 "echosign.com",
98 // ticketing software that embeds emails
99 "helpscout.net"
100 )
101 and headers.auth_summary.dmarc.pass
102 )
103 and (
104 (
105 sender.email.domain.root_domain in $high_trust_sender_root_domains
106 and not headers.auth_summary.dmarc.pass
107 )
108 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
109 )
110
111attack_types:
112 - "Credential Phishing"
113tactics_and_techniques:
114 - "Impersonation: Brand"
115 - "Social engineering"
116detection_methods:
117 - "Content analysis"
118 - "Header analysis"
119 - "HTML analysis"
120 - "Sender analysis"
121id: "704d143a-7ef2-5601-9e38-e659f0f65c8c"