Link to auto-downloaded file with Adobe branding

A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.

Sublime rule (View on GitHub)

 1name: "Link to auto-downloaded file with Adobe branding"
 2description: |
 3    A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.
 4type: "rule"
 5references:
 6  - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
 7  - "https://twitter.com/ankit_anubhav/status/1578257383133876225"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(body.links,
12          // There are files downloaded
13          length(beta.linkanalysis(.).files_downloaded) > 0
14          and 
15
16          // Adobe branding
17          beta.linkanalysis(.).credphish.brand.name == "Adobe"
18          and beta.linkanalysis(.).credphish.brand.confidence == "high"
19          and 
20
21          // Qakbot text for user coercion
22          any(file.explode(beta.linkanalysis(.).screenshot),
23              all(["the file is not displayed correctly", "document password"],
24                  strings.icontains(..scan.ocr.raw, .)
25              )
26          )
27  )
28  and (
29    not profile.by_sender().solicited
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_false_positives
33    )
34  )  
35tags:
36  - "Malfam: QakBot"
37attack_types:
38  - "Malware/Ransomware"
39tactics_and_techniques:
40  - "Impersonation: Brand"
41  - "Social engineering"
42detection_methods:
43  - "File analysis"
44  - "Optical Character Recognition"
45  - "Sender analysis"
46  - "URL analysis"
47  - "URL screenshot"
48id: "e826c2cf-740c-5588-b0a1-8f45bb5baf47"

Related rules

to-top