• Sublime Core Feed
Medium Severity

Service abuse: Adobe legitimate domain with document approval language

Labels

BEC/Fraud
Credential Phishing
Social engineering
Content analysis
Header analysis
Sender analysis

Description

Detects messages from Adobe's legitimate email domain containing suspicious language about document or payment approval that may indicate service abuse.

References

No references.

Sublime Security
Created Jan 23rd, 2026 • Last updated Jan 23rd, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and recipients.to[0].email.domain.domain == "email.adobe.com"
and regex.icontains(body.current_thread.text,
                    "(?:approved?|view) (?:document|payment)"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started