Link: Adobe Share from Unsolicited Sender
This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization.
Sublime rule (View on GitHub)
1name: "Link: Adobe Share from Unsolicited Sender"
2description: "This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // from Adobe Actual
8 and strings.icontains(sender.display_name, 'via Adobe')
9 and sender.email.email == 'message@adobe.com'
10 and headers.auth_summary.dmarc.pass
11 // contains a link to open or review a share
12 and any(body.links, .display_text =~ "open" or .display_text =~ "review")
13 // attempt to ensure the sender (from the sender.display_name) does NOT have a relationship with to recipient org
14
15 // not sent from a Adobe User within the org's domains
16 and not any($org_domains,
17 strings.icontains(sender.display_name, strings.concat("@", ., ' via Adobe'))
18 )
19 // the org has never sent a message to the address within the sender.display_name
20 and not any($recipient_emails, strings.istarts_with(sender.display_name, .))
21tags:
22 - "Attack surface reduction"
23attack_types:
24 - "Credential Phishing"
25tactics_and_techniques:
26 - "Free file host"
27 - "Evasion"
28detection_methods:
29 - "Content analysis"
30 - "Sender analysis"
31id: "8e29ab33-a52a-5a48-9e2b-f178ded7d7bb"