Link: Multistage Landing - Abuse Adobe Acrobat Hosted PDF

calendar Apr 28, 2025  ·
Share on: linkedin copy

Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply.

Sublime rule (View on GitHub)

 1name: "Link: Multistage Landing - Abuse Adobe Acrobat Hosted PDF"
 2description: "Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "acrobat.adobe.com"
 9          and strings.istarts_with(.href_url.path, '/id/urn:')
10  )
11  and length(distinct(filter(body.links,
12                             .href_url.domain.domain == "acrobat.adobe.com"
13                             and strings.istarts_with(.href_url.path, '/id/urn:')
14                      ),
15                      .href_url.url
16             )
17  ) == 1
18  and any(filter(body.links,
19                 .href_url.domain.domain == "acrobat.adobe.com"
20                 and strings.istarts_with(.href_url.path, '/id/urn:')
21          ),
22          any(ml.link_analysis(., mode="aggressive").additional_responses,
23              // a low amount of links
24              any(file.explode(.file), 1 <= length(.scan.url.urls) <= 2)
25              // a single page
26              and any(file.explode(.file),
27                      .scan.exiftool.page_count == 1
28                      // occurs when there are exif errors
29                      or .scan.exiftool.page_count is null
30              )
31              // susipicious indicators
32              and (
33                // logo detection of brands for file sharing companies
34                any(ml.logo_detect(.file).brands,
35                    .name in ("DocuSign", "Adobe")
36                    or strings.istarts_with(.name, 'Microsoft')
37                )
38                // look at the OCR of the document as well
39                or (
40                  length(beta.ocr(.file).text) < 750
41                  and (
42                    strings.icontains(beta.ocr(.file).text, 'view document')
43                    or strings.icontains(beta.ocr(.file).text, 'New PDF Document')
44                    or strings.icontains(beta.ocr(.file).text, 'please wait...')
45                    or strings.icontains(beta.ocr(.file).text,
46                                         "display this type of document"
47                    )
48                    or strings.icontains(beta.ocr(.file).text, 'PDF viewer')
49                    or regex.icontains(beta.ocr(.file).text, 'e-sign(?:ature)?')
50                    or strings.icontains(beta.ocr(.file).text, 'review and sign')
51                    or strings.icontains(beta.ocr(.file).text, 'shared a document')
52                  )
53                )
54              )
55          )
56  )
57  and length(headers.references) == 0
58  and headers.in_reply_to is null
59  and sender.email.domain.root_domain != "adobe.com"  
60
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Impersonation: Brand"
65  - "Social engineering"
66detection_methods:
67  - "Computer Vision"
68  - "Optical Character Recognition"
69  - "URL analysis"
70  - "Header analysis"
71  - "Sender analysis"
72id: "609081ef-ca1a-577f-a886-a590e39655eb"
to-top