Link: Abused Adobe Express
The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Sublime rule (View on GitHub)
1name: "Link: Abused Adobe Express"
2description: "The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 // it is a new.express.adobe.com page
9 .href_url.domain.domain == "new.express.adobe.com"
10 and strings.starts_with(.href_url.path, "/webpage/")
11
12 // filter down the links on express.adobe.com page to those that are external to adobe
13 and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
14 // filter any links on the adobe express page which are
15 // on express.adobe.com
16 .href_url.domain.domain != 'new.express.adobe.com'
17 // or www.adobe.com (privacy page/report abuse/etc)
18 and .href_url.domain.domain != 'www.adobe.com'
19 // relative links (no domains)
20 and .href_url.domain.domain is not null
21 ),
22 (
23 // any of those links domains are new
24 network.whois(.href_url.domain).days_old < 30
25
26 // go to free file hosts
27 or .href_url.domain.root_domain in $free_file_hosts
28 or .href_url.domain.domain in $free_file_hosts
29
30 // go to free subdomains hosts
31 or (
32 .href_url.domain.root_domain in $free_subdomain_hosts
33 // where there is a subdomain
34 and .href_url.domain.subdomain is not null
35 and .href_url.domain.subdomain != "www"
36 )
37 // go to url shortners
38 or .href_url.domain.root_domain in $url_shorteners
39 or .href_url.domain.domain in $url_shorteners
40 or (
41 // find any links that mention common "action" words
42 regex.icontains(.display_text,
43 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
44 )
45 and (
46 // and when visiting those links, are phishing
47 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
48
49 // hit a captcha page
50 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
51
52 // or the page redirects to common website, observed when evasion happens
53 or (
54 length(ml.link_analysis(., mode="aggressive").redirect_history
55 ) > 0
56 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
57 )
58 )
59 )
60 )
61 )
62 )
63attack_types:
64 - "Credential Phishing"
65tactics_and_techniques:
66 - "Evasion"
67 - "Free subdomain host"
68 - "Free file host"
69detection_methods:
70 - "Content analysis"
71 - "Sender analysis"
72 - "URL analysis"
73 - "Whois"
74 - "HTML analysis"
75id: "c7d17bfd-e571-55ba-a521-08d68b576740"