Link: Abused Adobe Express

The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Sublime rule (View on GitHub)

 1name: "Link: Abused Adobe Express"
 2description: "The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(body.links,
 8                 // the link is a new.express.adobe.com page
 9                 .href_url.domain.domain == "new.express.adobe.com"
10                 and strings.starts_with(.href_url.path, "/webpage/")
11          ),
12          // filter down the links on express.adobe.com page to those that are external to adobe
13          // check that the length of external links is reasonable
14          length(distinct(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
15                                 // filter any links on the adobe express page which are
16                                 // on express.adobe.com
17                                 .href_url.domain.domain != 'new.express.adobe.com'
18                                 // or www.adobe.com (privacy page/report abuse/etc)
19                                 and .href_url.domain.domain != 'www.adobe.com'
20                                 // relative links (no domains)
21                                 and .href_url.domain.domain is not null
22                          ),
23                          .href_url.domain.domain
24                 )
25          ) <= 10
26          and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
27                         // filter any links on the adobe express page which are
28                         // on express.adobe.com
29                         .href_url.domain.domain != 'new.express.adobe.com'
30                         // or www.adobe.com (privacy page/report abuse/etc)
31                         and .href_url.domain.domain != 'www.adobe.com'
32                         // relative links (no domains)
33                         and .href_url.domain.domain is not null
34                  ),
35                  (
36                    // any of those links domains are new
37                    network.whois(.href_url.domain).days_old < 30
38  
39                    // go to free file hosts
40                    or .href_url.domain.root_domain in $free_file_hosts
41                    or .href_url.domain.domain in $free_file_hosts
42  
43                    // go to free subdomains hosts
44                    or (
45                      .href_url.domain.root_domain in $free_subdomain_hosts
46                      // where there is a subdomain
47                      and .href_url.domain.subdomain is not null
48                      and .href_url.domain.subdomain != "www"
49                    )
50                    // go to url shortners
51                    or .href_url.domain.root_domain in $url_shorteners
52                    or .href_url.domain.root_domain in $social_landing_hosts
53                    or .href_url.domain.domain in $url_shorteners
54                    or .href_url.domain.domain in $social_landing_hosts
55                    or (
56                      // find any links that mention common "action" words
57                      regex.icontains(.display_text,
58                                      '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
59                      )
60                      and (
61                        // and when visiting those links, are phishing
62                        ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
63  
64                        // hit a captcha page
65                        or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
66  
67                        // or the page redirects to common website, observed when evasion happens
68                        or (
69                          length(ml.link_analysis(., mode="aggressive").redirect_history
70                          ) > 0
71                          and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
72                        )
73                      )
74                    )
75                  )
76          )
77  )
78  and profile.by_sender().prevalence != "common"  
79attack_types:
80  - "Credential Phishing"
81tactics_and_techniques:
82  - "Evasion"
83  - "Free subdomain host"
84  - "Free file host"
85detection_methods:
86  - "Content analysis"
87  - "Sender analysis"
88  - "URL analysis"
89  - "Whois"
90  - "HTML analysis"
91id: "c7d17bfd-e571-55ba-a521-08d68b576740"
to-top