Medium Severity

Link: Adobe share from unsolicited sender

Labels

Description

This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization.

References

No references.

Sublime Security

Created Oct 24th, 2024 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// from Adobe Actual
and strings.icontains(sender.display_name, 'via Adobe')
and sender.email.email == 'message@adobe.com'
and headers.auth_summary.dmarc.pass
// contains a link to open or review a share
and any(body.links, .display_text =~ "open" or .display_text =~ "review")
// attempt to ensure the sender (from the sender.display_name) does NOT have a relationship with to recipient org

// not sent from a Adobe User within the org's domains
and not any($org_domains,
            strings.icontains(sender.display_name,
                              strings.concat("@", ., ' via Adobe')
            )
)
// the org has never sent a message to the address within the sender.display_name
and not any($recipient_emails, strings.istarts_with(sender.display_name, .))

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.