Link: Abused Adobe Express
The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Sublime rule (View on GitHub)
1name: "Link: Abused Adobe Express"
2description: "The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(filter(body.links,
8 // the link is a new.express.adobe.com page
9 .href_url.domain.domain == "new.express.adobe.com"
10 and strings.starts_with(.href_url.path, "/webpage/")
11 ),
12 // filter down the links on express.adobe.com page to those that are external to adobe
13 // check that the length of external links is reasonable
14 length(distinct(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
15 // filter any links on the adobe express page which are
16 // on express.adobe.com
17 .href_url.domain.domain != 'new.express.adobe.com'
18 // or www.adobe.com (privacy page/report abuse/etc)
19 and .href_url.domain.domain != 'www.adobe.com'
20 // relative links (no domains)
21 and .href_url.domain.domain is not null
22 ),
23 .href_url.domain.domain
24 )
25 ) <= 10
26 and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
27 // filter any links on the adobe express page which are
28 // on express.adobe.com
29 .href_url.domain.domain != 'new.express.adobe.com'
30 // or www.adobe.com (privacy page/report abuse/etc)
31 and .href_url.domain.domain != 'www.adobe.com'
32 // relative links (no domains)
33 and .href_url.domain.domain is not null
34 ),
35 (
36 // any of those links domains are new
37 network.whois(.href_url.domain).days_old < 30
38
39 // go to free file hosts
40 or .href_url.domain.root_domain in $free_file_hosts
41 or .href_url.domain.domain in $free_file_hosts
42
43 // go to free subdomains hosts
44 or (
45 .href_url.domain.root_domain in $free_subdomain_hosts
46 // where there is a subdomain
47 and .href_url.domain.subdomain is not null
48 and .href_url.domain.subdomain != "www"
49 )
50 // go to url shortners
51 or .href_url.domain.root_domain in $url_shorteners
52 or .href_url.domain.root_domain in $social_landing_hosts
53 or .href_url.domain.domain in $url_shorteners
54 or .href_url.domain.domain in $social_landing_hosts
55 or (
56 // find any links that mention common "action" words
57 regex.icontains(.display_text,
58 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
59 )
60 and (
61 // and when visiting those links, are phishing
62 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
63
64 // hit a captcha page
65 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
66
67 // or the page redirects to common website, observed when evasion happens
68 or (
69 length(ml.link_analysis(., mode="aggressive").redirect_history
70 ) > 0
71 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
72 )
73 )
74 )
75 )
76 )
77 )
78 and profile.by_sender().prevalence != "common"
79attack_types:
80 - "Credential Phishing"
81tactics_and_techniques:
82 - "Evasion"
83 - "Free subdomain host"
84 - "Free file host"
85detection_methods:
86 - "Content analysis"
87 - "Sender analysis"
88 - "URL analysis"
89 - "Whois"
90 - "HTML analysis"
91id: "c7d17bfd-e571-55ba-a521-08d68b576740"