High Severity
Link: Abused Adobe Express
Description
The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
References
No references.
Sublime Security
Created Jul 26th, 2024 • Last updated Dec 16th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(filter(body.links,
// the link is a new.express.adobe.com page
.href_url.domain.domain == "new.express.adobe.com"
and strings.starts_with(.href_url.path, "/webpage/")
),
// filter down the links on express.adobe.com page to those that are external to adobe
// check that the length of external links is reasonable
length(distinct(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
// filter any links on the adobe express page which are
// on express.adobe.com
.href_url.domain.domain != 'new.express.adobe.com'
// or www.adobe.com (privacy page/report abuse/etc)
and .href_url.domain.domain != 'www.adobe.com'
// relative links (no domains)
and .href_url.domain.domain is not null
),
.href_url.domain.domain
)
) <= 10
and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
// filter any links on the adobe express page which are
// on express.adobe.com
.href_url.domain.domain != 'new.express.adobe.com'
// or www.adobe.com (privacy page/report abuse/etc)
and .href_url.domain.domain != 'www.adobe.com'
// relative links (no domains)
and .href_url.domain.domain is not null
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.domain in $url_shorteners
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(., mode="aggressive").redirect_history
) > 0
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
and profile.by_sender().prevalence != "common"
Playground
Test against your own EMLs or sample data.