Link to auto-downloaded file with Adobe branding

A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.

Sublime rule (View on GitHub)

 1name: "Link to auto-downloaded file with Adobe branding"
 2description: |
 3    A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.
 4type: "rule"
 5references:
 6  - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
 7  - "https://twitter.com/ankit_anubhav/status/1578257383133876225"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(body.links,
12          // There are files downloaded
13          length(beta.linkanalysis(.).files_downloaded) > 0
14          and 
15
16          // Adobe branding
17          beta.linkanalysis(.).credphish.brand.name == "Adobe"
18          and beta.linkanalysis(.).credphish.brand.confidence == "high"
19          and 
20
21          // Qakbot text for user coercion
22          any(file.explode(beta.linkanalysis(.).screenshot),
23              all(["the file is not displayed correctly", "document password"],
24                  strings.icontains(..scan.ocr.raw, .)
25              )
26          )
27  )
28  // unsolicited
29  and (
30    (
31      sender.email.domain.root_domain in $free_email_providers
32      and sender.email.email not in $recipient_emails
33    )
34    or (
35      sender.email.domain.root_domain not in $free_email_providers
36      and sender.email.domain.domain not in $recipient_domains
37    )
38  )  
39tags:
40  - "Malfam: QakBot"
41attack_types:
42  - "Malware/Ransomware"
43tactics_and_techniques:
44  - "Impersonation: Brand"
45  - "Social engineering"
46detection_methods:
47  - "File analysis"
48  - "Optical Character Recognition"
49  - "Sender analysis"
50  - "URL analysis"
51  - "URL screenshot"
52id: "e826c2cf-740c-5588-b0a1-8f45bb5baf47"

Related rules

to-top