EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Adobe share from unsolicited sender

This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
// from Adobe Actual
and strings.icontains(sender.display_name, 'via Adobe')
and sender.email.email == 'message@adobe.com'
and headers.auth_summary.dmarc.pass
// contains a link to open or review a share
and any(body.links, .display_text =~ "open" or .display_text =~ "review")
// attempt to ensure the sender (from the sender.display_name) does NOT have a relationship with to recipient org

// not sent from a Adobe User within the org's domains
and not any($org_domains,
            strings.icontains(sender.display_name,
                              strings.concat("@", ., ' via Adobe')
            )
)
// the org has never sent a message to the address within the sender.display_name
and not any($recipient_emails, strings.istarts_with(sender.display_name, .))

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Link: Adobe share from unsolicited sender"
description: "This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // from Adobe Actual
  and strings.icontains(sender.display_name, 'via Adobe')
  and sender.email.email == 'message@adobe.com'
  and headers.auth_summary.dmarc.pass
  // contains a link to open or review a share
  and any(body.links, .display_text =~ "open" or .display_text =~ "review")
  // attempt to ensure the sender (from the sender.display_name) does NOT have a relationship with to recipient org
  
  // not sent from a Adobe User within the org's domains
  and not any($org_domains,
              strings.icontains(sender.display_name,
                                strings.concat("@", ., ' via Adobe')
              )
  )
  // the org has never sent a message to the address within the sender.display_name
  and not any($recipient_emails, strings.istarts_with(sender.display_name, .))
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "8e29ab33-a52a-5a48-9e2b-f178ded7d7bb"