Service abuse: Adobe Creative Cloud share from an unsolicited sender address

 1name: "Service abuse: Adobe Creative Cloud share from an unsolicited sender address"
 2description: "Detects messages from Adobe Creative Cloud in which the document originates from a newly observed email address. The email address is extracted from the HTML body."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.email == "message@adobe.com"
 8  and headers.auth_summary.spf.pass
 9  and headers.auth_summary.dmarc.pass
10  and any(html.xpath(body.html,
11                     "//td[@style[contains(., 'adobe-clean-display')]]/strong/a/text()"
12          ).nodes,
13          strings.parse_email(.raw).domain.root_domain not in $org_domains
14          and strings.parse_email(.raw).email not in $recipient_emails
15          and strings.parse_email(.raw).email not in $sender_emails
16          and not (
17            strings.parse_email(.raw).domain.domain not in $free_email_providers
18            and strings.parse_email(.raw).domain.domain in $recipient_domains
19            and strings.parse_email(.raw).domain.domain in $sender_domains
20          )
21  )  
22tags:
23 - "Attack surface reduction"
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Social engineering"
28  - "Free file host"
29  - "Evasion"
30detection_methods:
31  - "HTML analysis"
32  - "Sender analysis"
33  - "Header analysis"
34id: "47e42ca1-aee3-527c-b9cd-a1384efc9334"