Brand impersonation: Adobe with suspicious language and link
Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Adobe with suspicious language and link"
2description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // all attachments are images or 0 attachments
8 and (
9 (
10 length(attachments) > 0
11 and all(attachments, .file_type in $file_types_images)
12 )
13 or length(attachments) == 0
14 )
15 and length(body.links) > 0
16 and any(ml.logo_detect(beta.message_screenshot()).brands,
17 .name == "Adobe" and .confidence in ("high")
18 )
19 and (
20 any(file.explode(beta.message_screenshot()),
21 strings.ilike(.scan.ocr.raw,
22 "*review*",
23 "*sign*",
24 "*view*",
25 "*completed document*",
26 "*open agreement*",
27 "*open document*"
28 )
29 and not strings.ilike(.scan.ocr.raw,
30 "*view this email in*"
31 )
32 )
33 or any(body.links,
34 strings.ilike(.display_text,
35 "*review*",
36 "*sign*",
37 "*view*",
38 "*completed document*",
39 "*open agreement*",
40 "*open document*"
41 )
42 and not strings.ilike(.display_text,
43 "*view this email in*"
44 )
45 )
46 )
47 and (
48 profile.by_sender().prevalence in ("new", "outlier")
49 or (
50 profile.by_sender().any_messages_malicious_or_spam
51 and not profile.by_sender().any_false_positives
52 )
53 )
54 // negate highly trusted sender domains unless they fail DMARC authentication
55 and (
56 (
57 sender.email.domain.root_domain in $high_trust_sender_root_domains
58 and not headers.auth_summary.dmarc.pass
59 )
60 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61 )
62
63attack_types:
64 - "Credential Phishing"
65tactics_and_techniques:
66 - "Impersonation: Brand"
67 - "Social engineering"
68detection_methods:
69 - "Computer Vision"
70 - "Content analysis"
71 - "Header analysis"
72 - "Sender analysis"
73id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"