Link: Abused Adobe Express

 1name: "Link: Abused Adobe Express"
 2description: "The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // it is a new.express.adobe.com page
 9          .href_url.domain.domain == "new.express.adobe.com"
10          and strings.starts_with(.href_url.path, "/webpage/")
11  
12          // filter down the links on  express.adobe.com page to those that are external to adobe
13          and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
14                         // filter any links on the adobe express page which are
15                         // on express.adobe.com
16                         .href_url.domain.domain != 'new.express.adobe.com'
17                         // or www.adobe.com (privacy page/report abuse/etc)
18                         and .href_url.domain.domain != 'www.adobe.com'
19                         // relative links (no domains)
20                         and .href_url.domain.domain is not null
21                  ),
22                  (
23                    // any of those links domains are new
24                    network.whois(.href_url.domain).days_old < 30
25  
26                    // go to free file hosts
27                    or .href_url.domain.root_domain in $free_file_hosts
28                    or .href_url.domain.domain in $free_file_hosts
29  
30                    // go to free subdomains hosts
31                    or (
32                      .href_url.domain.root_domain in $free_subdomain_hosts
33                      // where there is a subdomain
34                      and .href_url.domain.subdomain is not null
35                      and .href_url.domain.subdomain != "www"
36                    )
37                    // go to url shortners
38                    or .href_url.domain.root_domain in $url_shorteners
39                    or .href_url.domain.domain in $url_shorteners
40                    or (
41                      // find any links that mention common "action" words
42                      regex.icontains(.display_text,
43                                      '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
44                      )
45                      and (
46                        // and when visiting those links, are phishing
47                        ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
48  
49                        // hit a captcha page
50                        or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
51  
52                        // or the page redirects to common website, observed when evasion happens
53                        or (
54                          length(ml.link_analysis(., mode="aggressive").redirect_history
55                          ) > 0
56                          and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
57                        )
58                      )
59                    )
60                  )
61          )
62  )
63  and profile.by_sender().prevalence != "common"  
64attack_types:
65  - "Credential Phishing"
66tactics_and_techniques:
67  - "Evasion"
68  - "Free subdomain host"
69  - "Free file host"
70detection_methods:
71  - "Content analysis"
72  - "Sender analysis"
73  - "URL analysis"
74  - "Whois"
75  - "HTML analysis"
76id: "c7d17bfd-e571-55ba-a521-08d68b576740"