Link: Abused Adobe Express
The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Sublime rule (View on GitHub)
1name: "Link: Abused Adobe Express"
2description: "The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(filter(body.links,
8 // the link is a new.express.adobe.com page
9 .href_url.domain.domain == "new.express.adobe.com"
10 and strings.starts_with(.href_url.path, "/webpage/")
11 ),
12 // filter down the links on express.adobe.com page to those that are external to adobe
13 // check that the length of external links is reasonable
14 length(distinct(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
15 // filter any links on the adobe express page which are
16 // on express.adobe.com
17 .href_url.domain.domain != 'new.express.adobe.com'
18 // or www.adobe.com (privacy page/report abuse/etc)
19 and .href_url.domain.domain != 'www.adobe.com'
20 // relative links (no domains)
21 and .href_url.domain.domain is not null
22 ),
23 .href_url.domain.domain
24 )
25 ) <= 10
26 and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
27 // filter any links on the adobe express page which are
28 // on express.adobe.com
29 .href_url.domain.domain != 'new.express.adobe.com'
30 // or www.adobe.com (privacy page/report abuse/etc)
31 and .href_url.domain.domain != 'www.adobe.com'
32 // relative links (no domains)
33 and .href_url.domain.domain is not null
34 ),
35 (
36 // any of those links domains are new
37 network.whois(.href_url.domain).days_old < 30
38
39 // go to free file hosts
40 or .href_url.domain.root_domain in $free_file_hosts
41 or .href_url.domain.domain in $free_file_hosts
42
43 // go to free subdomains hosts
44 or (
45 .href_url.domain.root_domain in $free_subdomain_hosts
46 // where there is a subdomain
47 and .href_url.domain.subdomain is not null
48 and .href_url.domain.subdomain != "www"
49 )
50 // go to url shortners
51 or .href_url.domain.root_domain in $url_shorteners
52 or .href_url.domain.domain in $url_shorteners
53 or (
54 // find any links that mention common "action" words
55 regex.icontains(.display_text,
56 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
57 )
58 and (
59 // and when visiting those links, are phishing
60 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
61
62 // hit a captcha page
63 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
64
65 // or the page redirects to common website, observed when evasion happens
66 or (
67 length(ml.link_analysis(., mode="aggressive").redirect_history
68 ) > 0
69 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
70 )
71 )
72 )
73 )
74 )
75 )
76 and profile.by_sender().prevalence != "common"
77attack_types:
78 - "Credential Phishing"
79tactics_and_techniques:
80 - "Evasion"
81 - "Free subdomain host"
82 - "Free file host"
83detection_methods:
84 - "Content analysis"
85 - "Sender analysis"
86 - "URL analysis"
87 - "Whois"
88 - "HTML analysis"
89id: "c7d17bfd-e571-55ba-a521-08d68b576740"