• Sublime Core Feed
Medium Severity

Attachment: Adobe image lure with suspicious link

Labels

Description

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Dec 19th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  length(filter(attachments, .file_type not in $file_types_images)) == 0
  or length(filter(attachments, .file_type != "pdf")) == 0
)
and all(body.links, .display_text is null)
and any(attachments,
        any(ml.logo_detect(.).brands,
            .name == "Adobe" and .confidence in ("medium", "high")
        )
        and any(file.explode(.),
                strings.ilike(.scan.ocr.raw,
                              "*review*",
                              "*sign*",
                              "*view*",
                              "*completed document*",
                              "*open agreement*"
                )
                and (
                  (length(body.links) > 0)
                  or (length(.scan.url.urls) > 0 or length(.scan.pdf.urls) > 0)
                )
        )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

and not profile.by_sender().any_false_positives

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started