Service abuse: Adobe legitimate domain with document approval language

calendar Jan 23, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages from Adobe's legitimate email domain containing suspicious language about document or payment approval that may indicate service abuse.

Sublime rule (View on GitHub)

 1name: "Service abuse: Adobe legitimate domain with document approval language"
 2description: "Detects messages from Adobe's legitimate email domain containing suspicious language about document or payment approval that may indicate service abuse."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and recipients.to[0].email.domain.domain == "email.adobe.com"
 8  and regex.icontains(body.current_thread.text,
 9                      "(?:approved?|view) (?:document|payment)"
10  )  
11tags:
12  - "Attack surface reduction"
13attack_types:
14  - "BEC/Fraud"
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Social engineering"
18detection_methods:
19  - "Content analysis"
20  - "Header analysis"
21  - "Sender analysis"
22id: "237f4da4-f95c-5965-9e29-106620ee2fff"

Related rules

to-top