Updating negations & key phrasing to Brand Impersonation: Adobe

detection-rules/impersonation_adobe_suspicious_language_link.yml

@@ -4,7 +4,7 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-  // all attachments are images or 0 attachments
+  // All attachments are images or 0 attachments
   and (
     (
       length(attachments) > 0
@@ -19,43 +19,47 @@ source: |
     )
     or (
       strings.icontains(body.current_thread.text, "adobe")
+      and not strings.icontains(body.current_thread.text, "adobe marketplace")
+      and not strings.icontains(body.current_thread.text, "adobe analytics")
       and (
-        // leverage topic analysis to pick up on themes
+        // Leverage topic analysis to pick up on themes
         (
           length(ml.nlu_classifier(body.current_thread.text).topics) == 1
           and all(ml.nlu_classifier(body.current_thread.text).topics,
                   .name == "File Sharing and Cloud Services"
                   and .confidence != "low"
           )
         )
-        // keywords if topic anlayis doesn't match
+        // Key phrases if topic anlayis doesn't match
         or strings.icontains(body.current_thread.text, 'review the document')
         or strings.icontains(body.current_thread.text, 'access file')
         or strings.icontains(body.current_thread.text, 'pending document')
+        or any(body.links, strings.ilike(.display_text, 'review and sign'))
       )
       and length(body.current_thread.text) < 2000
     )
   )
   and (
     (
-        //
-        // This rule makes use of a beta feature and is subject to change without notice
-        // using the beta feature in custom rules is not suggested until it has been formally released
-        //
-        strings.ilike(beta.ocr(file.message_screenshot()).text,
-                      "*review*",
-                      "*sign*",
-                      "*view*",
-                      "open",
-                      "*completed document*",
-                      "*open agreement*",
-                      "*open document*"
-        )
-        and not strings.ilike(beta.ocr(file.message_screenshot()).text,
-                              "*view this email*",
-                              "*view*browser*",
-                              "*business review*"
-        )
+      //
+      // This rule makes use of a beta feature and is subject to change without notice
+      // using the beta feature in custom rules is not suggested until it has been formally released
+      //
+      strings.ilike(beta.ocr(file.message_screenshot()).text,
+                    "*review*",
+                    "*sign*",
+                    "*view*",
+                    "open",
+                    "*completed document*",
+                    "*open agreement*",
+                    "*open document*"
+      )
+      and not strings.ilike(beta.ocr(file.message_screenshot()).text,
+                            "*view this email*",
+                            "*view*browser*",
+                            "*view online*",
+                            "*business review*"
+      )
     )
     or any(body.links,
            strings.ilike(.display_text,
@@ -70,10 +74,12 @@ source: |
            )
            and not strings.ilike(.display_text,
                                  "*view this email*",
-                                 "*view*browser*"
+                                 "*view*browser*",
+                                 "*view online*"
            )
     )
   )
+  // Negate replies & forwards
   and (
     (
       (
@@ -100,8 +106,15 @@ source: |
     )
     or length(headers.references) == 0
   )
+  // Negate certain common topics
   and not any(ml.nlu_classifier(body.current_thread.text).topics,
-              .name == "Advertising and Promotions" and .confidence == "high"
+              .name in (
+                "Advertising and Promotions",
+                "Events and Webinars",
+                "Professional and Career Development",
+                "Newsletters and Digests"
+              )
+              and .confidence != "low"
   )
   and (
     (
@@ -113,25 +126,33 @@ source: |
         or profile.by_sender_email().days_since.last_contact > 14
       )
       and not profile.by_sender().any_messages_benign
+      // Negate affiliates, sub-products & legitimate domains
       and not sender.email.domain.root_domain in (
         "adobe-events.com",
         "frame.io",
+        "nudgesecurity.io",
+        "adobesignsandbox.com",
+        "magento.com",
         "workfront.com"
       )
+      // Continued
+      and not any(headers.domains, .root_domain == "zohomail.com")
+      and not strings.iends_with(headers.message_id, 'omniture.com>')
     )
     or not headers.auth_summary.spf.pass
     or headers.auth_summary.spf.pass is null
     or not headers.auth_summary.dmarc.pass
     or headers.auth_summary.dmarc.pass is null
   )
-  // negate highly trusted sender domains unless they fail DMARC authentication
+  // Negate highly trusted sender domains unless they fail DMARC authentication
   and (
     (
       sender.email.domain.root_domain in $high_trust_sender_root_domains
       and not headers.auth_summary.dmarc.pass
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: