← Back to Explore
sublimehighRule
Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Detection Query
type.inbound
and (
any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(ml.logo_detect(.).brands,
.name == "Adobe" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Adobe"
)
or any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(., "adobe (acrobat|sign)")
// negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
and not regex.icontains(.,
"(creatortool|producer|creator).{1,5}adobe acrobat"
)
)
)
)
)
or any(attachments,
.file_extension in $file_extensions_macros
and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., "*adobe*"))
)
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
(
(
.email.domain.valid
and (
strings.icontains(..scan.qr.data, .email.email)
or any(beta.scan_base64(..scan.qr.data,
format="url"
),
strings.icontains(., ..email.email)
)
)
)
or strings.icontains(.display_name, "undisclosed")
)
// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name,
.email.domain.sld
)
)
// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text,
.email.local_part
)
)
// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""
// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
// high confidence cred theft in body
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("high")
)
)
)
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.root_domain in (
"acrobat.com",
"adobecc.com",
"adobecces.com",
"adobeccstatic.com",
"adobe.com",
"adobeexchange.com",
"adobe-identity.com",
"adobe.io",
"adobejanus.com",
"adobelogin.com",
"adobe.net",
"adobeprojectm.com",
"adoberesources.net",
"adobesc.com",
"adobesign.com",
"adobestock.com",
"createjs.com",
"licensingstack.com",
"myportfolio.com",
"photoshop.com",
"typekit.com",
"typekit.net"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Adobe (QR code)"
description: "Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
type: "rule"
severity: "high"
source: |
type.inbound
and (
any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(ml.logo_detect(.).brands,
.name == "Adobe" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Adobe"
)
or any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(., "adobe (acrobat|sign)")
// negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
and not regex.icontains(.,
"(creatortool|producer|creator).{1,5}adobe acrobat"
)
)
)
)
)
or any(attachments,
.file_extension in $file_extensions_macros
and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., "*adobe*"))
)
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
(
(
.email.domain.valid
and (
strings.icontains(..scan.qr.data, .email.email)
or any(beta.scan_base64(..scan.qr.data,
format="url"
),
strings.icontains(., ..email.email)
)
)
)
or strings.icontains(.display_name, "undisclosed")
)
// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name,
.email.domain.sld
)
)
// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text,
.email.local_part
)
)
// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""
// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
// high confidence cred theft in body
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("high")
)
)
)
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.root_domain in (
"acrobat.com",
"adobecc.com",
"adobecces.com",
"adobeccstatic.com",
"adobe.com",
"adobeexchange.com",
"adobe-identity.com",
"adobe.io",
"adobejanus.com",
"adobelogin.com",
"adobe.net",
"adobeprojectm.com",
"adoberesources.net",
"adobesc.com",
"adobesign.com",
"adobestock.com",
"createjs.com",
"licensingstack.com",
"myportfolio.com",
"photoshop.com",
"typekit.com",
"typekit.net"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "PDF"
- "QR code"
detection_methods:
- "Computer Vision"
- "Header analysis"
- "QR code analysis"
- "Sender analysis"
id: "2fc36c6d-86a2-5b12-b5a4-5d8744858381"