Skip to content

Commit a35b426

Browse files
github-actions[bot]github-actions[bot]
committed
[PR #3477] added rule: Brand impersonation: Adobe with suspicious language and link
1 parent 37f9f99 commit a35b426

File tree

1 file changed

+169
-0
lines changed

1 file changed

+169
-0
lines changed

detection-rules/3477_impersonation_adobe_suspicious_language_link.yml

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
name: "Brand impersonation: Adobe with suspicious language and link"
2+
description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
3+
type: "rule"
4+
severity: "high"
5+
source: |
6+
type.inbound
7+
// All attachments are images or 0 attachments
8+
and (
9+
(
10+
length(attachments) > 0
11+
and all(attachments, .file_type in $file_types_images)
12+
)
13+
or length(attachments) == 0
14+
)
15+
and length(body.links) > 0
16+
and (
17+
any(ml.logo_detect(file.message_screenshot()).brands,
18+
.name == "Adobe" and .confidence in ("high")
19+
)
20+
or (
21+
strings.icontains(body.current_thread.text, "adobe")
22+
and not strings.icontains(body.current_thread.text, "adobe marketplace")
23+
and not strings.icontains(body.current_thread.text, "adobe analytics")
24+
and (
25+
// Leverage topic analysis to pick up on themes
26+
(
27+
length(ml.nlu_classifier(body.current_thread.text).topics) == 1
28+
and all(ml.nlu_classifier(body.current_thread.text).topics,
29+
.name == "File Sharing and Cloud Services"
30+
and .confidence != "low"
31+
)
32+
)
33+
// Key phrases if topic anlayis doesn't match
34+
or strings.icontains(body.current_thread.text, 'review the document')
35+
or strings.icontains(body.current_thread.text, 'access file')
36+
or strings.icontains(body.current_thread.text, 'pending document')
37+
or any(body.links, strings.ilike(.display_text, 'review and sign'))
38+
)
39+
and length(body.current_thread.text) < 2000
40+
)
41+
)
42+
and (
43+
(
44+
//
45+
// This rule makes use of a beta feature and is subject to change without notice
46+
// using the beta feature in custom rules is not suggested until it has been formally released
47+
//
48+
strings.ilike(beta.ocr(file.message_screenshot()).text,
49+
"*review*",
50+
"*sign*",
51+
"*view*",
52+
"open",
53+
"*completed document*",
54+
"*open agreement*",
55+
"*open document*"
56+
)
57+
and not strings.ilike(beta.ocr(file.message_screenshot()).text,
58+
"*view this email*",
59+
"*view*browser*",
60+
"*view online*",
61+
"*business review*"
62+
)
63+
)
64+
or any(body.links,
65+
strings.ilike(.display_text,
66+
"*review*",
67+
"*sign*",
68+
"*view*",
69+
"open",
70+
"*completed document*",
71+
"*open agreement*",
72+
"*open document*",
73+
"*continue*"
74+
)
75+
and not strings.ilike(.display_text,
76+
"*view this email*",
77+
"*view*browser*",
78+
"*view online*"
79+
)
80+
)
81+
)
82+
// Negate replies & forwards
83+
and (
84+
(
85+
(
86+
length(headers.references) > 0
87+
or not any(headers.hops,
88+
any(.fields, strings.ilike(.name, "In-Reply-To"))
89+
)
90+
)
91+
and not (
92+
(
93+
strings.istarts_with(subject.subject, "RE:")
94+
or strings.istarts_with(subject.subject, "RES:")
95+
or strings.istarts_with(subject.subject, "R:")
96+
or strings.istarts_with(subject.subject, "ODG:")
97+
or strings.istarts_with(subject.subject, "答复:")
98+
or strings.istarts_with(subject.subject, "AW:")
99+
or strings.istarts_with(subject.subject, "TR:")
100+
or strings.istarts_with(subject.subject, "FWD:")
101+
or regex.imatch(subject.subject,
102+
'^\[?/{0,2}(EXT|EXTERNAL)\]?/{0,2}[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
103+
)
104+
)
105+
)
106+
)
107+
or length(headers.references) == 0
108+
)
109+
// Negate certain common topics
110+
and not any(ml.nlu_classifier(body.current_thread.text).topics,
111+
.name in (
112+
"Advertising and Promotions",
113+
"Events and Webinars",
114+
"Professional and Career Development",
115+
"Newsletters and Digests"
116+
)
117+
and .confidence != "low"
118+
)
119+
and (
120+
(
121+
headers.auth_summary.spf.pass
122+
and headers.auth_summary.dmarc.pass
123+
and (
124+
not profile.by_sender().solicited
125+
or profile.by_sender().any_messages_malicious_or_spam
126+
or profile.by_sender_email().days_since.last_contact > 14
127+
)
128+
and not profile.by_sender().any_messages_benign
129+
// Negate affiliates, sub-products & legitimate domains
130+
and not sender.email.domain.root_domain in (
131+
"adobe-events.com",
132+
"frame.io",
133+
"nudgesecurity.io",
134+
"adobesignsandbox.com",
135+
"magento.com",
136+
"workfront.com"
137+
)
138+
// Continued
139+
and not any(headers.domains, .root_domain == "zohomail.com")
140+
and not strings.iends_with(headers.message_id, 'omniture.com>')
141+
)
142+
or not headers.auth_summary.spf.pass
143+
or headers.auth_summary.spf.pass is null
144+
or not headers.auth_summary.dmarc.pass
145+
or headers.auth_summary.dmarc.pass is null
146+
)
147+
// Negate highly trusted sender domains unless they fail DMARC authentication
148+
and (
149+
(
150+
sender.email.domain.root_domain in $high_trust_sender_root_domains
151+
and not headers.auth_summary.dmarc.pass
152+
)
153+
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
154+
)
155+
156+
attack_types:
157+
- "Credential Phishing"
158+
tactics_and_techniques:
159+
- "Impersonation: Brand"
160+
- "Social engineering"
161+
detection_methods:
162+
- "Computer Vision"
163+
- "Content analysis"
164+
- "Header analysis"
165+
- "Sender analysis"
166+
id: "ef29ca07-95f6-5b35-9845-b7222394a146"
167+
og_id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"
168+
testing_pr: 3477
169+
testing_sha: 4b1ddfad6f132e5e945c35ffb1b25c5e85751a60

0 commit comments

Comments
 (0)