Brand impersonation: Adobe with suspicious language and link
Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe with suspicious language and link"
2description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // All attachments are images or 0 attachments
8 and (
9 (
10 length(attachments) > 0
11 and all(attachments, .file_type in $file_types_images)
12 )
13 or length(attachments) == 0
14 )
15 and length(body.links) > 0
16 and (
17 any(ml.logo_detect(file.message_screenshot()).brands,
18 .name == "Adobe" and .confidence in ("high")
19 )
20 or (
21 strings.icontains(body.current_thread.text, "adobe")
22 and not strings.icontains(body.current_thread.text, "adobe marketplace")
23 and not strings.icontains(body.current_thread.text, "adobe analytics")
24 and (
25 // Leverage topic analysis to pick up on themes
26 (
27 length(ml.nlu_classifier(body.current_thread.text).topics) == 1
28 and all(ml.nlu_classifier(body.current_thread.text).topics,
29 .name == "File Sharing and Cloud Services"
30 and .confidence != "low"
31 )
32 )
33 // Key phrases if topic anlayis doesn't match
34 or strings.icontains(body.current_thread.text, 'review the document')
35 or strings.icontains(body.current_thread.text, 'access file')
36 or strings.icontains(body.current_thread.text, 'pending document')
37 or any(body.links, strings.ilike(.display_text, 'review and sign'))
38 )
39 and length(body.current_thread.text) < 2000
40 )
41 )
42 and (
43 (
44 //
45 // This rule makes use of a beta feature and is subject to change without notice
46 // using the beta feature in custom rules is not suggested until it has been formally released
47 //
48 strings.ilike(beta.ocr(file.message_screenshot()).text,
49 "*review*",
50 "*sign*",
51 "*view*",
52 "open",
53 "*completed document*",
54 "*open agreement*",
55 "*open document*"
56 )
57 and not strings.ilike(beta.ocr(file.message_screenshot()).text,
58 "*view this email*",
59 "*view*browser*",
60 "*view online*",
61 "*business review*"
62 )
63 )
64 or any(body.links,
65 strings.ilike(.display_text,
66 "*review*",
67 "*sign*",
68 "*view*",
69 "open",
70 "*completed document*",
71 "*open agreement*",
72 "*open document*",
73 "*continue*"
74 )
75 and not strings.ilike(.display_text,
76 "*view this email*",
77 "*view*browser*",
78 "*view online*"
79 )
80 )
81 )
82 // Negate replies & forwards
83 and (
84 (
85 (
86 length(headers.references) > 0
87 or not any(headers.hops,
88 any(.fields, strings.ilike(.name, "In-Reply-To"))
89 )
90 )
91 and not (
92 (
93 strings.istarts_with(subject.subject, "RE:")
94 or strings.istarts_with(subject.subject, "RES:")
95 or strings.istarts_with(subject.subject, "R:")
96 or strings.istarts_with(subject.subject, "ODG:")
97 or strings.istarts_with(subject.subject, "答复:")
98 or strings.istarts_with(subject.subject, "AW:")
99 or strings.istarts_with(subject.subject, "TR:")
100 or strings.istarts_with(subject.subject, "FWD:")
101 or regex.imatch(subject.subject,
102 '^\[?/{0,2}(EXT|EXTERNAL)\]?/{0,2}[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
103 )
104 )
105 )
106 )
107 or length(headers.references) == 0
108 )
109 // Negate certain common topics
110 and not any(ml.nlu_classifier(body.current_thread.text).topics,
111 .name in (
112 "Advertising and Promotions",
113 "Events and Webinars",
114 "Professional and Career Development",
115 "Newsletters and Digests"
116 )
117 and .confidence != "low"
118 )
119 and (
120 (
121 headers.auth_summary.spf.pass
122 and headers.auth_summary.dmarc.pass
123 and (
124 not profile.by_sender().solicited
125 or profile.by_sender().any_messages_malicious_or_spam
126 or profile.by_sender_email().days_since.last_contact > 14
127 )
128 and not profile.by_sender().any_messages_benign
129 // Negate affiliates, sub-products & legitimate domains
130 and not sender.email.domain.root_domain in (
131 "adobe-events.com",
132 "frame.io",
133 "nudgesecurity.io",
134 "adobesignsandbox.com",
135 "magento.com",
136 "workfront.com"
137 )
138 // Continued
139 and not any(headers.domains, .root_domain == "zohomail.com")
140 and not strings.iends_with(headers.message_id, 'omniture.com>')
141 )
142 or not headers.auth_summary.spf.pass
143 or headers.auth_summary.spf.pass is null
144 or not headers.auth_summary.dmarc.pass
145 or headers.auth_summary.dmarc.pass is null
146 )
147 // Negate highly trusted sender domains unless they fail DMARC authentication
148 and (
149 (
150 sender.email.domain.root_domain in $high_trust_sender_root_domains
151 and not headers.auth_summary.dmarc.pass
152 )
153 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
154 )
155
156attack_types:
157 - "Credential Phishing"
158tactics_and_techniques:
159 - "Impersonation: Brand"
160 - "Social engineering"
161detection_methods:
162 - "Computer Vision"
163 - "Content analysis"
164 - "Header analysis"
165 - "Sender analysis"
166id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"