Medium Severity

Link: Multistage Landing - Abuse Adobe Acrobat Hosted PDF

Labels

Credential Phishing

Impersonation: Brand

Social engineering

Computer Vision

Optical Character Recognition

URL analysis

Header analysis

Sender analysis

Description

Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply.

References

No references.

Sublime Security

Created Apr 15th, 2025 • Last updated Jun 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        .href_url.domain.domain == "acrobat.adobe.com"
        and strings.istarts_with(.href_url.path, '/id/urn:')
)
and length(distinct(filter(body.links,
                           .href_url.domain.domain == "acrobat.adobe.com"
                           and strings.istarts_with(.href_url.path, '/id/urn:')
                    ),
                    .href_url.url
           )
) == 1
and any(filter(body.links,
               .href_url.domain.domain == "acrobat.adobe.com"
               and strings.istarts_with(.href_url.path, '/id/urn:')
        ),
        any(ml.link_analysis(., mode="aggressive").additional_responses,
            (
              any(file.explode(.file),
                  any(.scan.exiftool.fields,
                  // password protected pdf
                      .key == "Warning"
                      and strings.icontains(.value, "password protected")
                  )
              )
              // a low amount of links
              or (
                any(file.explode(.file), 1 <= length(.scan.url.urls) <= 2)
                // a single page
                and any(file.explode(.file),
                        .scan.exiftool.page_count == 1
                        // occurs when there are exif errors
                        or .scan.exiftool.page_count is null
                )
                // susipicious indicators
                and (
                  // logo detection of brands for file sharing companies
                  any(ml.logo_detect(.file).brands,
                      .name in ("DocuSign", "Adobe")
                      or strings.istarts_with(.name, 'Microsoft')
                  )
                  // look at the OCR of the document as well
                  or (
                    length(beta.ocr(.file).text) < 750
                    and (
                      strings.icontains(beta.ocr(.file).text, 'view document')
                      or strings.icontains(beta.ocr(.file).text,
                                           'New PDF Document'
                      )
                      or strings.icontains(beta.ocr(.file).text,
                                           'please wait...'
                      )
                      or strings.icontains(beta.ocr(.file).text,
                                           "display this type of document"
                      )
                      or strings.icontains(beta.ocr(.file).text, 'PDF viewer')
                      or regex.icontains(beta.ocr(.file).text,
                                         'e-sign(?:ature)?'
                      )
                      or strings.icontains(beta.ocr(.file).text,
                                           'review and sign'
                      )
                      or strings.icontains(beta.ocr(.file).text,
                                           'shared a document'
                      )
                    )
                  )
                )
              )
            )
        )
)
and length(headers.references) == 0
and headers.in_reply_to is null
and sender.email.domain.root_domain != "adobe.com"

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.