Medium Severity
Attachment: Adobe image lure with suspicious link
Labels
Description
Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Dec 1st, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
and (
length(filter(attachments, .file_type not in $file_types_images)) == 0
or length(filter(attachments, .file_type != "pdf")) == 0
)
and length(body.links) > 0
and all(body.links, .display_text is null)
and any(attachments,
any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("medium", "high"))
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*review*",
"*sign*",
"*view*",
"*completed document*",
"*open agreement*"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.