Brand impersonation: Adobe Acrobat Sign PDF phishing file format template

calendar Jun 1, 2026  ·
Share on: linkedin copy

Detects specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Adobe Acrobat Sign PDF phishing file format template"
 2description: "Detects  specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          (
 9            any(ml.logo_detect(.).brands, .name == "Adobe")
10            or strings.icontains(beta.ocr(.).text,
11                                 'Powered by Adobe Acrobat Sign'
12            )
13            or strings.icontains(beta.ocr(.).text, 'Adobe Acrobat Sign')
14          )
15          and strings.icontains(beta.ocr(.).text, 'File Format: PDF')
16  )
17    
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Impersonation: Brand"
22  - "PDF"
23detection_methods:
24  - "Computer Vision"
25  - "Optical Character Recognition"
26  - "File analysis"
27id: "d2b1dee3-868e-5ac7-b729-fefc67b7d02f"
to-top