← Back to Explore
sublimehighRule
Brand impersonation: Adobe Sign with suspicious indicators
Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers.
Detection Query
type.inbound
and length(filter(attachments, .file_type == "pdf")) == 0
and (
regex.icontains(body.html.raw,
'alt="Adobe(?: Acrobat)? Sign"',
"adobe-sign-logo.{0,20}.png",
'alt="Powered by Adobe Acrobat Sign"'
)
or any(html.xpath(body.html, "//img/@src").nodes,
strings.parse_url(.raw).domain.root_domain == "adobesign.com"
and (
strings.istarts_with(strings.parse_url(.raw).path, "/cobrand_logo/")
or strings.icontains(strings.parse_url(.raw).path, "checkmarkCircle")
)
)
)
and not (
// inspect the "oldest" thread, negate where that thread is the original Adobe Sign email (based on link domains)
(
length(body.previous_threads[length(body.previous_threads) - 1].links) > 0
and all(body.previous_threads[length(body.previous_threads) - 1].links,
.href_url.domain.root_domain in (
"aka.ms",
"adobe.com",
"adobesign.com",
"echosign.com",
"adobesignsandbox.com",
"mimecastprotect.com",
"mimecast.com"
)
or .href_url.domain.root_domain in $org_domains
or .href_url.domain.root_domain == sender.email.domain.root_domain
or any(recipients.to,
.email.domain.root_domain == ..href_url.domain.root_domain
)
)
)
// legit review button
or any(body.links,
.display_text in (
"Review and sign",
"the document",
"Open agreement",
"VIEW DOCUMENTS",
"Click here to review and sign"
)
and (
.href_url.domain.root_domain in (
"adobe.com",
"adobesign.com",
"echosign.com",
"adobesignsandbox.com",
)
// Mimecast link logic
or (
.href_url.domain.root_domain in (
"mimecastprotect.com",
"mimecast.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).root_domain in (
"adobe.com",
"adobesign.com",
"echosign.com",
"adobesignsandbox.com",
)
)
)
)
)
// accidental recipient
or any(recipients.to, .email.email == "adobesign@adobesign.com")
// known Adobe Sign messaage ID formats
or (
(length(headers.references) > 1 or length(body.previous_threads) != 0)
and regex.imatch(headers.references[0],
'[0-9]{9,10}\.[0-9]{4,6}\.[0-9]{13}@event-consumer-prod-[a-z]-[a-z0-9]{7,10}-[a-z0-9]{5}',
'[0-9]{8,10}\.[0-9]{5,7}\.[0-9]{13}@(webapp|job)-prod-.*$',
'[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}-APO-PRODHIPAA@apo-p-h'
)
)
// negate Adobe Sign messages from custom domains
or any(headers.hops,
any(.fields, .name in ("Adobesigneventid", "Agreementid"))
)
)
and not (
sender.email.domain.root_domain in (
"adobe.com",
"adobesign.com",
"adobesignsandbox.com",
"echosign.com",
// ticketing software that embeds emails
"helpscout.net"
)
and headers.auth_summary.dmarc.pass
)
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Adobe Sign with suspicious indicators"
description: "Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers."
type: "rule"
severity: "high"
source: |
type.inbound
and length(filter(attachments, .file_type == "pdf")) == 0
and (
regex.icontains(body.html.raw,
'alt="Adobe(?: Acrobat)? Sign"',
"adobe-sign-logo.{0,20}.png",
'alt="Powered by Adobe Acrobat Sign"'
)
or any(html.xpath(body.html, "//img/@src").nodes,
strings.parse_url(.raw).domain.root_domain == "adobesign.com"
and (
strings.istarts_with(strings.parse_url(.raw).path, "/cobrand_logo/")
or strings.icontains(strings.parse_url(.raw).path, "checkmarkCircle")
)
)
)
and not (
// inspect the "oldest" thread, negate where that thread is the original Adobe Sign email (based on link domains)
(
length(body.previous_threads[length(body.previous_threads) - 1].links) > 0
and all(body.previous_threads[length(body.previous_threads) - 1].links,
.href_url.domain.root_domain in (
"aka.ms",
"adobe.com",
"adobesign.com",
"echosign.com",
"adobesignsandbox.com",
"mimecastprotect.com",
"mimecast.com"
)
or .href_url.domain.root_domain in $org_domains
or .href_url.domain.root_domain == sender.email.domain.root_domain
or any(recipients.to,
.email.domain.root_domain == ..href_url.domain.root_domain
)
)
)
// legit review button
or any(body.links,
.display_text in (
"Review and sign",
"the document",
"Open agreement",
"VIEW DOCUMENTS",
"Click here to review and sign"
)
and (
.href_url.domain.root_domain in (
"adobe.com",
"adobesign.com",
"echosign.com",
"adobesignsandbox.com",
)
// Mimecast link logic
or (
.href_url.domain.root_domain in (
"mimecastprotect.com",
"mimecast.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).root_domain in (
"adobe.com",
"adobesign.com",
"echosign.com",
"adobesignsandbox.com",
)
)
)
)
)
// accidental recipient
or any(recipients.to, .email.email == "adobesign@adobesign.com")
// known Adobe Sign messaage ID formats
or (
(length(headers.references) > 1 or length(body.previous_threads) != 0)
and regex.imatch(headers.references[0],
'[0-9]{9,10}\.[0-9]{4,6}\.[0-9]{13}@event-consumer-prod-[a-z]-[a-z0-9]{7,10}-[a-z0-9]{5}',
'[0-9]{8,10}\.[0-9]{5,7}\.[0-9]{13}@(webapp|job)-prod-.*$',
'[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}-APO-PRODHIPAA@apo-p-h'
)
)
// negate Adobe Sign messages from custom domains
or any(headers.hops,
any(.fields, .name in ("Adobesigneventid", "Agreementid"))
)
)
and not (
sender.email.domain.root_domain in (
"adobe.com",
"adobesign.com",
"adobesignsandbox.com",
"echosign.com",
// ticketing software that embeds emails
"helpscout.net"
)
and headers.auth_summary.dmarc.pass
)
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "HTML analysis"
- "Sender analysis"
id: "704d143a-7ef2-5601-9e38-e659f0f65c8c"