Brand impersonation: Adobe with suspicious language and link

calendar Oct 17, 2025  ·
Share on: linkedin copy

Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Adobe with suspicious language and link"
  2description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  // all attachments are images or 0 attachments
  8  and (
  9    (
 10      length(attachments) > 0
 11      and all(attachments, .file_type in $file_types_images)
 12    )
 13    or length(attachments) == 0
 14  )
 15  and length(body.links) > 0
 16  and (
 17    any(ml.logo_detect(file.message_screenshot()).brands,
 18        .name == "Adobe" and .confidence in ("high")
 19    )
 20    or (
 21      strings.icontains(body.current_thread.text, "adobe")
 22      and (
 23        // leverage topic analysis to pick up on themes
 24        (
 25          length(ml.nlu_classifier(body.current_thread.text).topics) == 1
 26          and all(ml.nlu_classifier(body.current_thread.text).topics,
 27                  .name == "File Sharing and Cloud Services"
 28                  and .confidence != "low"
 29          )
 30        )
 31        // keywords if topic anlayis doesn't match
 32        or strings.icontains(body.current_thread.text, 'review the document')
 33        or strings.icontains(body.current_thread.text, 'access file')
 34        or strings.icontains(body.current_thread.text, 'pending document')
 35      )
 36      and length(body.current_thread.text) < 2000
 37    )
 38  )
 39  and (
 40    (
 41        //
 42        // This rule makes use of a beta feature and is subject to change without notice
 43        // using the beta feature in custom rules is not suggested until it has been formally released
 44        //
 45        strings.ilike(beta.ocr(file.message_screenshot()).text,
 46                      "*review*",
 47                      "*sign*",
 48                      "*view*",
 49                      "open",
 50                      "*completed document*",
 51                      "*open agreement*",
 52                      "*open document*"
 53        )
 54        and not strings.ilike(beta.ocr(file.message_screenshot()).text,
 55                              "*view this email*",
 56                              "*view*browser*",
 57                              "*business review*"
 58        )
 59    )
 60    or any(body.links,
 61           strings.ilike(.display_text,
 62                         "*review*",
 63                         "*sign*",
 64                         "*view*",
 65                         "open",
 66                         "*completed document*",
 67                         "*open agreement*",
 68                         "*open document*",
 69                         "*continue*"
 70           )
 71           and not strings.ilike(.display_text,
 72                                 "*view this email*",
 73                                 "*view*browser*"
 74           )
 75    )
 76  )
 77  and (
 78    (
 79      (
 80        length(headers.references) > 0
 81        or not any(headers.hops,
 82                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 83        )
 84      )
 85      and not (
 86        (
 87          strings.istarts_with(subject.subject, "RE:")
 88          or strings.istarts_with(subject.subject, "RES:")
 89          or strings.istarts_with(subject.subject, "R:")
 90          or strings.istarts_with(subject.subject, "ODG:")
 91          or strings.istarts_with(subject.subject, "答复:")
 92          or strings.istarts_with(subject.subject, "AW:")
 93          or strings.istarts_with(subject.subject, "TR:")
 94          or strings.istarts_with(subject.subject, "FWD:")
 95          or regex.imatch(subject.subject,
 96                          '^\[?/{0,2}(EXT|EXTERNAL)\]?/{0,2}[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 97          )
 98        )
 99      )
100    )
101    or length(headers.references) == 0
102  )
103  and not any(ml.nlu_classifier(body.current_thread.text).topics,
104              .name == "Advertising and Promotions" and .confidence == "high"
105  )
106  and (
107    (
108      headers.auth_summary.spf.pass
109      and headers.auth_summary.dmarc.pass
110      and (
111        not profile.by_sender().solicited
112        or profile.by_sender().any_messages_malicious_or_spam
113        or profile.by_sender_email().days_since.last_contact > 14
114      )
115      and not profile.by_sender().any_messages_benign
116      and not sender.email.domain.root_domain in (
117        "adobe-events.com",
118        "frame.io",
119        "workfront.com"
120      )
121    )
122    or not headers.auth_summary.spf.pass
123    or headers.auth_summary.spf.pass is null
124    or not headers.auth_summary.dmarc.pass
125    or headers.auth_summary.dmarc.pass is null
126  )
127  // negate highly trusted sender domains unless they fail DMARC authentication
128  and (
129    (
130      sender.email.domain.root_domain in $high_trust_sender_root_domains
131      and not headers.auth_summary.dmarc.pass
132    )
133    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
134  )  
135attack_types:
136  - "Credential Phishing"
137tactics_and_techniques:
138  - "Impersonation: Brand"
139  - "Social engineering"
140detection_methods:
141  - "Computer Vision"
142  - "Content analysis"
143  - "Header analysis"
144  - "Sender analysis"
145id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"
to-top