Low Severity

Service abuse: Adobe Creative Cloud share from an unsolicited sender address

Labels

Credential Phishing

Social engineering

Description

Detects messages from Adobe Creative Cloud in which the document originates from a newly observed email address. The email address is extracted from the HTML body.

References

No references.

Sublime Security

Created Oct 22nd, 2025 • Last updated Oct 22nd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.email == "message@adobe.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and any(html.xpath(body.html,
                   "//td[@style[contains(., 'adobe-clean-display')]]/strong/a/text()"
        ).nodes,
        strings.parse_email(.raw).domain.root_domain not in $org_domains
        and strings.parse_email(.raw).email not in $recipient_emails
        and strings.parse_email(.raw).email not in $sender_emails
        and not (
          strings.parse_email(.raw).domain.domain not in $free_email_providers
          and strings.parse_email(.raw).domain.domain in $recipient_domains
          and strings.parse_email(.raw).domain.domain in $sender_domains
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.