• Sublime Core Feed
Medium Severity

Attachment: Adobe image lure with suspicious link

Labels

Description

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Mar 7th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  length(filter(attachments, .file_type not in $file_types_images)) == 0
  or length(filter(attachments, .file_type != "pdf")) == 0
)
and all(body.links, .display_text is null)
and (
  any(file.explode(beta.message_screenshot()),
      any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Adobe")
      and 0 < length(body.links) < 10
  )
  or any(attachments,
         any(ml.logo_detect(.).brands,
             .name == "Adobe"
             and .confidence in ("medium", "high")
             and any(file.explode(..),
                     (
                       length(.scan.url.urls) > 0
                       or length(.scan.pdf.urls) > 0
                       or length(body.links) > 0
                     )
             )
         )
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and not profile.by_sender().any_false_positives

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started