Brand impersonation: Adobe with suspicious language and link

Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Adobe with suspicious language and link"
  2description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  // all attachments are images or 0 attachments
  8  and (
  9    (
 10      length(attachments) > 0
 11      and all(attachments, .file_type in $file_types_images)
 12    )
 13    or length(attachments) == 0
 14  )
 15  and length(body.links) > 0
 16  and (
 17    any(ml.logo_detect(beta.message_screenshot()).brands,
 18        .name == "Adobe" and .confidence in ("high")
 19    )
 20    or (
 21      strings.icontains(body.current_thread.text, "adobe")
 22      and (
 23        // leverage topic analysis to pick up on themes
 24        (
 25          length(ml.nlu_classifier(body.current_thread.text).topics) == 1
 26          and all(ml.nlu_classifier(body.current_thread.text).topics,
 27                  .name == "File Sharing and Cloud Services"
 28                  and .confidence != "low"
 29          )
 30        )
 31        // keywords if topic anlayis doesn't match
 32        or strings.icontains(body.current_thread.text, 'review the document')
 33        or strings.icontains(body.current_thread.text, 'access file')
 34        or strings.icontains(body.current_thread.text, 'pending document')
 35      )
 36      and length(body.current_thread.text) < 2000
 37    )
 38  )
 39  and (
 40    any(file.explode(beta.message_screenshot()),
 41        strings.ilike(.scan.ocr.raw,
 42                      "*review*",
 43                      "*sign*",
 44                      "*view*",
 45                      "open",
 46                      "*completed document*",
 47                      "*open agreement*",
 48                      "*open document*"
 49        )
 50        and not strings.ilike(.scan.ocr.raw,
 51                              "*view this email*",
 52                              "*view*browser*",
 53                              "*business review*"
 54        )
 55    )
 56    or any(body.links,
 57           strings.ilike(.display_text,
 58                         "*review*",
 59                         "*sign*",
 60                         "*view*",
 61                         "open",
 62                         "*completed document*",
 63                         "*open agreement*",
 64                         "*open document*",
 65                         "*continue*"
 66           )
 67           and not strings.ilike(.display_text,
 68                                 "*view this email*",
 69                                 "*view*browser*"
 70           )
 71    )
 72  )
 73  and (
 74    (
 75      (
 76        length(headers.references) > 0
 77        or not any(headers.hops,
 78                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 79        )
 80      )
 81      and not (
 82        (
 83          strings.istarts_with(subject.subject, "RE:")
 84          or strings.istarts_with(subject.subject, "RES:")
 85          or strings.istarts_with(subject.subject, "R:")
 86          or strings.istarts_with(subject.subject, "ODG:")
 87          or strings.istarts_with(subject.subject, "答复:")
 88          or strings.istarts_with(subject.subject, "AW:")
 89          or strings.istarts_with(subject.subject, "TR:")
 90          or strings.istarts_with(subject.subject, "FWD:")
 91          or regex.imatch(subject.subject,
 92                          '^\[?/{0,2}(EXT|EXTERNAL)\]?/{0,2}[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 93          )
 94        )
 95      )
 96    )
 97    or length(headers.references) == 0
 98  )
 99  and not any(ml.nlu_classifier(body.current_thread.text).topics,
100              .name == "Advertising and Promotions" and .confidence == "high"
101  )
102  and (
103    (
104      headers.auth_summary.spf.pass
105      and headers.auth_summary.dmarc.pass
106      and (
107        not profile.by_sender().solicited
108        or profile.by_sender().any_messages_malicious_or_spam
109        or profile.by_sender_email().days_since.last_contact > 14
110      )
111      and not profile.by_sender().any_messages_benign
112      and not sender.email.domain.root_domain in (
113        "adobe-events.com",
114        "frame.io",
115        "workfront.com"
116      )
117    )
118    or not headers.auth_summary.spf.pass
119    or headers.auth_summary.spf.pass is null
120    or not headers.auth_summary.dmarc.pass
121    or headers.auth_summary.dmarc.pass is null
122  )
123  // negate highly trusted sender domains unless they fail DMARC authentication
124  and (
125    (
126      sender.email.domain.root_domain in $high_trust_sender_root_domains
127      and not headers.auth_summary.dmarc.pass
128    )
129    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
130  )  
131
132attack_types:
133  - "Credential Phishing"
134tactics_and_techniques:
135  - "Impersonation: Brand"
136  - "Social engineering"
137detection_methods:
138  - "Computer Vision"
139  - "Content analysis"
140  - "Header analysis"
141  - "Sender analysis"
142id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"
to-top