Brand impersonation: Adobe with suspicious language and link

Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Adobe with suspicious language and link"
 2description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // all attachments are images or 0 attachments
 8  and (
 9    (
10      length(attachments) > 0
11      and all(attachments, .file_type in $file_types_images)
12    )
13    or length(attachments) == 0
14  )
15  and length(body.links) > 0
16  and any(ml.logo_detect(beta.message_screenshot()).brands,
17          .name == "Adobe" and .confidence in ("high")
18  )
19  and (
20    any(file.explode(beta.message_screenshot()),
21        strings.ilike(.scan.ocr.raw,
22                      "*review*",
23                      "*sign*",
24                      "*view*",
25                      "*completed document*",
26                      "*open agreement*",
27                      "*open document*"
28        )
29        and not strings.ilike(.scan.ocr.raw,
30                                  "*view this email in*"
31        )
32    )
33    or any(body.links,
34           strings.ilike(.display_text,
35                         "*review*",
36                         "*sign*",
37                         "*view*",
38                         "*completed document*",
39                         "*open agreement*",
40                         "*open document*"
41           )
42           and not strings.ilike(.display_text,
43                                     "*view this email in*"
44           )
45    )
46  )
47  and (
48    not profile.by_sender().solicited
49    or (
50      profile.by_sender().any_messages_malicious_or_spam
51      and not profile.by_sender().any_false_positives
52    )
53  )
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )
62    
63attack_types:
64  - "Credential Phishing"
65tactics_and_techniques:
66  - "Impersonation: Brand"
67  - "Social engineering"
68detection_methods:
69  - "Computer Vision"
70  - "Content analysis"
71  - "Header analysis"
72  - "Sender analysis"
73id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"
to-top