Brand impersonation: Adobe with suspicious language and link

calendar Sep 19, 2024  ·
Share on: linkedin copy

Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Adobe with suspicious language and link"
  2description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  // all attachments are images or 0 attachments
  8  and (
  9    (
 10      length(attachments) > 0
 11      and all(attachments, .file_type in $file_types_images)
 12    )
 13    or length(attachments) == 0
 14  )
 15  and length(body.links) > 0
 16  and any(ml.logo_detect(beta.message_screenshot()).brands,
 17          .name == "Adobe" and .confidence in ("high")
 18  )
 19  and (
 20    any(file.explode(beta.message_screenshot()),
 21        strings.ilike(.scan.ocr.raw,
 22                      "*review*",
 23                      "*sign*",
 24                      "*view*",
 25                      "open",
 26                      "*completed document*",
 27                      "*open agreement*",
 28                      "*open document*"
 29        )
 30        and not strings.ilike(.scan.ocr.raw,
 31                                  "*view this email*", "*view*browser*", "*business review*"
 32        )
 33    )
 34    or any(body.links,
 35           strings.ilike(.display_text,
 36                         "*review*",
 37                         "*sign*",
 38                         "*view*",
 39                         "open",
 40                         "*completed document*",
 41                         "*open agreement*",
 42                         "*open document*"
 43           )
 44           and not strings.ilike(.display_text,
 45                                     "*view this email*", "*view*browser*"
 46           )
 47    )
 48  )
 49  and (
 50    (
 51      (
 52        length(headers.references) > 0
 53        or not any(headers.hops,
 54                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 55        )
 56      )
 57      and not (
 58        (
 59          strings.istarts_with(subject.subject, "RE:")
 60          or strings.istarts_with(subject.subject, "RES:")
 61          or strings.istarts_with(subject.subject, "R:")
 62          or strings.istarts_with(subject.subject, "ODG:")
 63          or strings.istarts_with(subject.subject, "答复:")
 64          or strings.istarts_with(subject.subject, "AW:")
 65          or strings.istarts_with(subject.subject, "TR:")
 66          or strings.istarts_with(subject.subject, "FWD:")
 67          or regex.imatch(subject.subject,
 68                        '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
 69        )
 70        )
 71      )
 72    )
 73    or length(headers.references) == 0
 74  )
 75  and (
 76    not profile.by_sender().solicited
 77    or (
 78      profile.by_sender().any_messages_malicious_or_spam
 79      and not profile.by_sender().any_false_positives
 80    )
 81  )
 82  // negate highly trusted sender domains unless they fail DMARC authentication
 83  and (
 84    (
 85      sender.email.domain.root_domain in $high_trust_sender_root_domains
 86      and not headers.auth_summary.dmarc.pass
 87    )
 88    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 89  )
 90    
 91attack_types:
 92  - "Credential Phishing"
 93tactics_and_techniques:
 94  - "Impersonation: Brand"
 95  - "Social engineering"
 96detection_methods:
 97  - "Computer Vision"
 98  - "Content analysis"
 99  - "Header analysis"
100  - "Sender analysis"
101id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"
to-top