← Back to Explore
sublimehighRule
Link: Adobe share with suspicious indicators
The detection rule matches messages sent from Adobe and contain indicators of malicious use. The indicators include observed call to action phrases, suspicious filenames, all capital filenames, the sender's display name (as determined by NLU) included in the comment section, or Microsoft branding on the shared link.
Detection Query
type.inbound
// from Adobe Actual
and strings.icontains(sender.display_name, 'via Adobe')
and sender.email.email == 'message@adobe.com'
and headers.auth_summary.dmarc.pass
// contains a link to open or review a share
and any(body.links, .display_text =~ "open" or .display_text =~ "review")
// not sent from a Adobe User within the org's domains
and not any($org_domains,
strings.icontains(sender.display_name,
strings.concat("@", ., ' via Adobe')
)
// sometimes the email is in parentheses
or strings.icontains(sender.display_name,
strings.concat("@", ., ') via Adobe')
)
)
and (
// the comments observed wording, using the html to make sure it's in the actor controlled section of the message
regex.icontains(body.html.raw,
'<tr>[\r\n]+<td style="color:#505050; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px; padding-top:20px;">[\r\n]+<xmp style="font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px overflow-x:auto; white-space:pre-wrap; white-space:-moz-pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;">Please review the attached below for your reference,'
)
// the filename shared
or regex.icontains(body.html.raw,
// , ends in some random numbers
'<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>[^\<]+([]|[[:punct:]\s](?:AP|AR)?\d+[a-z]?)<\/strong></td>[\r\n]+</tr>'
)
// contains all capital letters, allowing for numbers
or regex.contains(body.html.raw,
'<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>(?:[A-Z0-9_\-\s]+)<\/strong></td>[\r\n]+</tr>',
)
// contains commonly observed themes used by actors
or regex.icontains(body.html.raw,
// , ends in some random numbers
'<td style=\"color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;\">[\r\n]+<strong>[^\<]+<\/strong> invited you to review <strong>[^\<]*(Invoice|Payment|Agreement|Settlements|Overdue|Confidential|Transaction)[^\<]*<\/strong></td>[\r\n]+</tr>'
)
// the NLU detected "sender" is included within the body wrapped with new lines indicating it's a "signature"
or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "sender"
and .text not in ('Customer Support', 'SHARED ON')
// in some cases the filename is detected as the sender
// we can filter out this case when the detected "sender"
// text is the file shared
and not strings.icontains(body.current_thread.text,
strings.concat("invited you to edit\n",
.text,
"\nOpen"
)
)
),
strings.icontains(body.current_thread.text,
strings.concat("\n", .text, "\n")
)
)
// finally we'll hit the actual page and see if we can get some enrichment functions to give up some gold
or any(filter(body.links,
.display_text =~ "open" or .display_text =~ "review"
),
// detected as Microsoft
any(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot).brands,
.name in ("Microsoft") and .confidence == "high"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Adobe share with suspicious indicators"
description: "The detection rule matches messages sent from Adobe and contain indicators of malicious use. The indicators include observed call to action phrases, suspicious filenames, all capital filenames, the sender's display name (as determined by NLU) included in the comment section, or Microsoft branding on the shared link."
type: "rule"
severity: "high"
source: |
type.inbound
// from Adobe Actual
and strings.icontains(sender.display_name, 'via Adobe')
and sender.email.email == 'message@adobe.com'
and headers.auth_summary.dmarc.pass
// contains a link to open or review a share
and any(body.links, .display_text =~ "open" or .display_text =~ "review")
// not sent from a Adobe User within the org's domains
and not any($org_domains,
strings.icontains(sender.display_name,
strings.concat("@", ., ' via Adobe')
)
// sometimes the email is in parentheses
or strings.icontains(sender.display_name,
strings.concat("@", ., ') via Adobe')
)
)
and (
// the comments observed wording, using the html to make sure it's in the actor controlled section of the message
regex.icontains(body.html.raw,
'<tr>[\r\n]+<td style="color:#505050; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px; padding-top:20px;">[\r\n]+<xmp style="font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px overflow-x:auto; white-space:pre-wrap; white-space:-moz-pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;">Please review the attached below for your reference,'
)
// the filename shared
or regex.icontains(body.html.raw,
// , ends in some random numbers
'<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>[^\<]+([]|[[:punct:]\s](?:AP|AR)?\d+[a-z]?)<\/strong></td>[\r\n]+</tr>'
)
// contains all capital letters, allowing for numbers
or regex.contains(body.html.raw,
'<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>(?:[A-Z0-9_\-\s]+)<\/strong></td>[\r\n]+</tr>',
)
// contains commonly observed themes used by actors
or regex.icontains(body.html.raw,
// , ends in some random numbers
'<td style=\"color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;\">[\r\n]+<strong>[^\<]+<\/strong> invited you to review <strong>[^\<]*(Invoice|Payment|Agreement|Settlements|Overdue|Confidential|Transaction)[^\<]*<\/strong></td>[\r\n]+</tr>'
)
// the NLU detected "sender" is included within the body wrapped with new lines indicating it's a "signature"
or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "sender"
and .text not in ('Customer Support', 'SHARED ON')
// in some cases the filename is detected as the sender
// we can filter out this case when the detected "sender"
// text is the file shared
and not strings.icontains(body.current_thread.text,
strings.concat("invited you to edit\n",
.text,
"\nOpen"
)
)
),
strings.icontains(body.current_thread.text,
strings.concat("\n", .text, "\n")
)
)
// finally we'll hit the actual page and see if we can get some enrichment functions to give up some gold
or any(filter(body.links,
.display_text =~ "open" or .display_text =~ "review"
),
// detected as Microsoft
any(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot).brands,
.name in ("Microsoft") and .confidence == "high"
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free file host"
detection_methods:
- "Content analysis"
- "URL screenshot"
- "Sender analysis"
- "Natural Language Understanding"
- "URL analysis"
id: "b33cae80-adbc-59b6-b732-21e739c3cb96"