Link: Multistage landing - Abused Adobe Acrobat hosted PDF

name: "Link: Multistage landing - Abused Adobe Acrobat hosted PDF"
description: "Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.domain == "acrobat.adobe.com"
          and strings.istarts_with(.href_url.path, '/id/urn:')
  )
  and length(distinct(filter(body.links,
                             .href_url.domain.domain == "acrobat.adobe.com"
                             and strings.istarts_with(.href_url.path, '/id/urn:')
                      ),
                      .href_url.url
             )
  ) == 1
  and any(filter(body.links,
                 .href_url.domain.domain == "acrobat.adobe.com"
                 and strings.istarts_with(.href_url.path, '/id/urn:')
          ),
          any(ml.link_analysis(., mode="aggressive").additional_responses,
              (
                any(file.explode(.file),
                    any(.scan.exiftool.fields,
                        // password protected pdf
                        .key == "Warning"
                        and strings.icontains(.value, "password protected")
                    )
                )
                // a low amount of links
                or (
                  any(file.explode(.file), 1 <= length(.scan.url.urls) <= 2)
                  // a single page
                  and any(file.explode(.file),
                          .scan.exiftool.page_count == 1
                          // occurs when there are exif errors
                          or .scan.exiftool.page_count is null
                  )
                  // susipicious indicators
                  and (
                    // logo detection of brands for file sharing companies
                    any(ml.logo_detect(.file).brands,
                        .name in ("DocuSign", "Adobe")
                        or strings.istarts_with(.name, 'Microsoft')
                    )
                    // look at the OCR of the document as well
                    or (
                      length(beta.ocr(.file).text) < 750
                      and (
                        strings.icontains(beta.ocr(.file).text, 'view document')
                        or strings.icontains(beta.ocr(.file).text,
                                             'New PDF Document'
                        )
                        or strings.icontains(beta.ocr(.file).text,
                                             'please wait...'
                        )
                        or strings.icontains(beta.ocr(.file).text,
                                             "display this type of document"
                        )
                        or strings.icontains(beta.ocr(.file).text, 'PDF viewer')
                        or regex.icontains(beta.ocr(.file).text,
                                           'e-sign(?:ature)?'
                        )
                        or strings.icontains(beta.ocr(.file).text,
                                             'review and sign'
                        )
                        or strings.icontains(beta.ocr(.file).text,
                                             'shared a document'
                        )
                      )
                    )
                  )
                )
              )
          )
  )
  and length(headers.references) == 0
  and headers.in_reply_to is null
  and sender.email.domain.root_domain != "adobe.com"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Optical Character Recognition"
  - "URL analysis"
  - "Header analysis"
  - "Sender analysis"
id: "609081ef-ca1a-577f-a886-a590e39655eb"