Link: Multistage landing - Abuse Adobe Acrobat hosted PDF

Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply.

Sublime rule (View on GitHub)

 1name: "Link: Multistage landing - Abuse Adobe Acrobat hosted PDF"
 2description: "Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "acrobat.adobe.com"
 9          and strings.istarts_with(.href_url.path, '/id/urn:')
10  )
11  and length(distinct(filter(body.links,
12                             .href_url.domain.domain == "acrobat.adobe.com"
13                             and strings.istarts_with(.href_url.path, '/id/urn:')
14                      ),
15                      .href_url.url
16             )
17  ) == 1
18  and any(filter(body.links,
19                 .href_url.domain.domain == "acrobat.adobe.com"
20                 and strings.istarts_with(.href_url.path, '/id/urn:')
21          ),
22          any(ml.link_analysis(., mode="aggressive").additional_responses,
23              (
24                any(file.explode(.file),
25                    any(.scan.exiftool.fields,
26                    // password protected pdf
27                        .key == "Warning"
28                        and strings.icontains(.value, "password protected")
29                    )
30                )
31                // a low amount of links
32                or (
33                  any(file.explode(.file), 1 <= length(.scan.url.urls) <= 2)
34                  // a single page
35                  and any(file.explode(.file),
36                          .scan.exiftool.page_count == 1
37                          // occurs when there are exif errors
38                          or .scan.exiftool.page_count is null
39                  )
40                  // susipicious indicators
41                  and (
42                    // logo detection of brands for file sharing companies
43                    any(ml.logo_detect(.file).brands,
44                        .name in ("DocuSign", "Adobe")
45                        or strings.istarts_with(.name, 'Microsoft')
46                    )
47                    // look at the OCR of the document as well
48                    or (
49                      length(beta.ocr(.file).text) < 750
50                      and (
51                        strings.icontains(beta.ocr(.file).text, 'view document')
52                        or strings.icontains(beta.ocr(.file).text,
53                                             'New PDF Document'
54                        )
55                        or strings.icontains(beta.ocr(.file).text,
56                                             'please wait...'
57                        )
58                        or strings.icontains(beta.ocr(.file).text,
59                                             "display this type of document"
60                        )
61                        or strings.icontains(beta.ocr(.file).text, 'PDF viewer')
62                        or regex.icontains(beta.ocr(.file).text,
63                                           'e-sign(?:ature)?'
64                        )
65                        or strings.icontains(beta.ocr(.file).text,
66                                             'review and sign'
67                        )
68                        or strings.icontains(beta.ocr(.file).text,
69                                             'shared a document'
70                        )
71                      )
72                    )
73                  )
74                )
75              )
76          )
77  )
78  and length(headers.references) == 0
79  and headers.in_reply_to is null
80  and sender.email.domain.root_domain != "adobe.com"  
81
82attack_types:
83  - "Credential Phishing"
84tactics_and_techniques:
85  - "Impersonation: Brand"
86  - "Social engineering"
87detection_methods:
88  - "Computer Vision"
89  - "Optical Character Recognition"
90  - "URL analysis"
91  - "Header analysis"
92  - "Sender analysis"
93id: "609081ef-ca1a-577f-a886-a590e39655eb"
to-top