Link: Multistage landing - Abuse Adobe Acrobat hosted PDF
Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply.
Sublime rule (View on GitHub)
1name: "Link: Multistage landing - Abuse Adobe Acrobat hosted PDF"
2description: "Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.domain == "acrobat.adobe.com"
9 and strings.istarts_with(.href_url.path, '/id/urn:')
10 )
11 and length(distinct(filter(body.links,
12 .href_url.domain.domain == "acrobat.adobe.com"
13 and strings.istarts_with(.href_url.path, '/id/urn:')
14 ),
15 .href_url.url
16 )
17 ) == 1
18 and any(filter(body.links,
19 .href_url.domain.domain == "acrobat.adobe.com"
20 and strings.istarts_with(.href_url.path, '/id/urn:')
21 ),
22 any(ml.link_analysis(., mode="aggressive").additional_responses,
23 (
24 any(file.explode(.file),
25 any(.scan.exiftool.fields,
26 // password protected pdf
27 .key == "Warning"
28 and strings.icontains(.value, "password protected")
29 )
30 )
31 // a low amount of links
32 or (
33 any(file.explode(.file), 1 <= length(.scan.url.urls) <= 2)
34 // a single page
35 and any(file.explode(.file),
36 .scan.exiftool.page_count == 1
37 // occurs when there are exif errors
38 or .scan.exiftool.page_count is null
39 )
40 // susipicious indicators
41 and (
42 // logo detection of brands for file sharing companies
43 any(ml.logo_detect(.file).brands,
44 .name in ("DocuSign", "Adobe")
45 or strings.istarts_with(.name, 'Microsoft')
46 )
47 // look at the OCR of the document as well
48 or (
49 length(beta.ocr(.file).text) < 750
50 and (
51 strings.icontains(beta.ocr(.file).text, 'view document')
52 or strings.icontains(beta.ocr(.file).text,
53 'New PDF Document'
54 )
55 or strings.icontains(beta.ocr(.file).text,
56 'please wait...'
57 )
58 or strings.icontains(beta.ocr(.file).text,
59 "display this type of document"
60 )
61 or strings.icontains(beta.ocr(.file).text, 'PDF viewer')
62 or regex.icontains(beta.ocr(.file).text,
63 'e-sign(?:ature)?'
64 )
65 or strings.icontains(beta.ocr(.file).text,
66 'review and sign'
67 )
68 or strings.icontains(beta.ocr(.file).text,
69 'shared a document'
70 )
71 )
72 )
73 )
74 )
75 )
76 )
77 )
78 and length(headers.references) == 0
79 and headers.in_reply_to is null
80 and sender.email.domain.root_domain != "adobe.com"
81
82attack_types:
83 - "Credential Phishing"
84tactics_and_techniques:
85 - "Impersonation: Brand"
86 - "Social engineering"
87detection_methods:
88 - "Computer Vision"
89 - "Optical Character Recognition"
90 - "URL analysis"
91 - "Header analysis"
92 - "Sender analysis"
93id: "609081ef-ca1a-577f-a886-a590e39655eb"