Brand impersonation: Adobe with suspicious language and link
Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe with suspicious language and link"
2description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // all attachments are images or 0 attachments
8 and (
9 (
10 length(attachments) > 0
11 and all(attachments, .file_type in $file_types_images)
12 )
13 or length(attachments) == 0
14 )
15 and length(body.links) > 0
16 and (
17 any(ml.logo_detect(beta.message_screenshot()).brands,
18 .name == "Adobe" and .confidence in ("high")
19 )
20 or (
21 strings.icontains(body.current_thread.text, "adobe")
22 and (
23 // leverage topic analysis to pick up on themes
24 (
25 length(ml.nlu_classifier(body.current_thread.text).topics) == 1
26 and all(ml.nlu_classifier(body.current_thread.text).topics,
27 .name == "File Sharing and Cloud Services"
28 and .confidence != "low"
29 )
30 )
31 // keywords if topic anlayis doesn't match
32 or strings.icontains(body.current_thread.text, 'review the document')
33 or strings.icontains(body.current_thread.text, 'access file')
34 or strings.icontains(body.current_thread.text, 'pending document')
35 )
36 and length(body.current_thread.text) < 2000
37 )
38 )
39 and (
40 any(file.explode(beta.message_screenshot()),
41 strings.ilike(.scan.ocr.raw,
42 "*review*",
43 "*sign*",
44 "*view*",
45 "open",
46 "*completed document*",
47 "*open agreement*",
48 "*open document*"
49 )
50 and not strings.ilike(.scan.ocr.raw,
51 "*view this email*",
52 "*view*browser*",
53 "*business review*"
54 )
55 )
56 or any(body.links,
57 strings.ilike(.display_text,
58 "*review*",
59 "*sign*",
60 "*view*",
61 "open",
62 "*completed document*",
63 "*open agreement*",
64 "*open document*",
65 "*continue*"
66 )
67 and not strings.ilike(.display_text,
68 "*view this email*",
69 "*view*browser*"
70 )
71 )
72 )
73 and (
74 (
75 (
76 length(headers.references) > 0
77 or not any(headers.hops,
78 any(.fields, strings.ilike(.name, "In-Reply-To"))
79 )
80 )
81 and not (
82 (
83 strings.istarts_with(subject.subject, "RE:")
84 or strings.istarts_with(subject.subject, "RES:")
85 or strings.istarts_with(subject.subject, "R:")
86 or strings.istarts_with(subject.subject, "ODG:")
87 or strings.istarts_with(subject.subject, "答复:")
88 or strings.istarts_with(subject.subject, "AW:")
89 or strings.istarts_with(subject.subject, "TR:")
90 or strings.istarts_with(subject.subject, "FWD:")
91 or regex.imatch(subject.subject,
92 '^\[?/{0,2}(EXT|EXTERNAL)\]?/{0,2}[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
93 )
94 )
95 )
96 )
97 or length(headers.references) == 0
98 )
99 and not any(ml.nlu_classifier(body.current_thread.text).topics,
100 .name == "Advertising and Promotions" and .confidence == "high"
101 )
102 and (
103 (
104 headers.auth_summary.spf.pass
105 and headers.auth_summary.dmarc.pass
106 and (
107 not profile.by_sender().solicited
108 or profile.by_sender().any_messages_malicious_or_spam
109 or profile.by_sender_email().days_since.last_contact > 14
110 )
111 and not profile.by_sender().any_messages_benign
112 and not sender.email.domain.root_domain in (
113 "adobe-events.com",
114 "frame.io",
115 "workfront.com"
116 )
117 )
118 or not headers.auth_summary.spf.pass
119 or headers.auth_summary.spf.pass is null
120 or not headers.auth_summary.dmarc.pass
121 or headers.auth_summary.dmarc.pass is null
122 )
123 // negate highly trusted sender domains unless they fail DMARC authentication
124 and (
125 (
126 sender.email.domain.root_domain in $high_trust_sender_root_domains
127 and not headers.auth_summary.dmarc.pass
128 )
129 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
130 )
131
132attack_types:
133 - "Credential Phishing"
134tactics_and_techniques:
135 - "Impersonation: Brand"
136 - "Social engineering"
137detection_methods:
138 - "Computer Vision"
139 - "Content analysis"
140 - "Header analysis"
141 - "Sender analysis"
142id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"