• Sublime Core Feed
Medium Severity

Attachment: Adobe image lure in body or attachment with suspicious link

Labels

Credential Phishing
Image as content
Impersonation: Brand
Content analysis
Computer Vision
Optical Character Recognition
Sender analysis
URL analysis

Description

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Apr 10th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  length(filter(attachments, .file_type not in $file_types_images)) == 0
  or length(filter(attachments, .file_type != "pdf")) == 0
)
and (
  any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
  and 0 < length(body.links) < 10
  and any(body.links, .display_text is null)
  and (
    length(filter(body.links,
                  (
                    .display_text is null
                    and .display_url.url == sender.email.domain.root_domain
                  )
                  or .href_url.domain.root_domain in (
                    "aka.ms",
                    "mimecast.com",
                    "mimecastprotect.com",
                    "cisco.com"
                  )
           )
    ) != length(body.links)
  )
  // )
  or any(attachments,
         any(ml.logo_detect(.).brands,
             .name == "Adobe"
             and .confidence in ("medium", "high")
             and any(file.explode(..),
                     (
                       length(.scan.url.urls) > 0
                       or length(.scan.pdf.urls) > 0
                       or length(body.links) > 0
                     )
             )
         )
  )
)
and (
  (
    (
      length(headers.references) > 0
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
    and not (
      (
        strings.istarts_with(subject.subject, "RE:")
        or strings.istarts_with(subject.subject, "RES:")
        or strings.istarts_with(subject.subject, "R:")
        or strings.istarts_with(subject.subject, "ODG:")
        or strings.istarts_with(subject.subject, "答复:")
        or strings.istarts_with(subject.subject, "AW:")
        or strings.istarts_with(subject.subject, "TR:")
        or strings.istarts_with(subject.subject, "FWD:")
        or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
      )
    )
  )
  or length(headers.references) == 0
)

// not a newsletter or advertisement
and not any(headers.hops, any(.fields, .name == "List-Unsubscribe-Post"))
and not any(beta.ml_topic(body.current_thread.text).topics,
            .name in ("Advertising and Promotions", "Newsletters and Digests")
            and .confidence == "high"
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender_email().solicited
  or profile.by_sender_email().prevalence == "new"
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_false_positives
  )
)
and not profile.by_sender_email().any_false_positives
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started