← Back to Explore
sublimehighRule
Link: Abused Adobe Express
The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Detection Query
type.inbound
and any(filter(body.links,
// the link is a new.express.adobe.com page
.href_url.domain.domain == "new.express.adobe.com"
and strings.starts_with(.href_url.path, "/webpage/")
),
// filter down the links on express.adobe.com page to those that are external to adobe
// check that the length of external links is reasonable
length(distinct(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
// filter any links on the adobe express page which are
// on express.adobe.com
.href_url.domain.domain != 'new.express.adobe.com'
// or www.adobe.com (privacy page/report abuse/etc)
and .href_url.domain.domain != 'www.adobe.com'
// relative links (no domains)
and .href_url.domain.domain is not null
),
.href_url.domain.domain
)
) <= 10
and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
// filter any links on the adobe express page which are
// on express.adobe.com
.href_url.domain.domain != 'new.express.adobe.com'
// or www.adobe.com (privacy page/report abuse/etc)
and .href_url.domain.domain != 'www.adobe.com'
// relative links (no domains)
and .href_url.domain.domain is not null
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(., mode="aggressive").redirect_history
) > 0
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
and profile.by_sender().prevalence != "common"
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Abused Adobe Express"
description: "The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(body.links,
// the link is a new.express.adobe.com page
.href_url.domain.domain == "new.express.adobe.com"
and strings.starts_with(.href_url.path, "/webpage/")
),
// filter down the links on express.adobe.com page to those that are external to adobe
// check that the length of external links is reasonable
length(distinct(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
// filter any links on the adobe express page which are
// on express.adobe.com
.href_url.domain.domain != 'new.express.adobe.com'
// or www.adobe.com (privacy page/report abuse/etc)
and .href_url.domain.domain != 'www.adobe.com'
// relative links (no domains)
and .href_url.domain.domain is not null
),
.href_url.domain.domain
)
) <= 10
and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
// filter any links on the adobe express page which are
// on express.adobe.com
.href_url.domain.domain != 'new.express.adobe.com'
// or www.adobe.com (privacy page/report abuse/etc)
and .href_url.domain.domain != 'www.adobe.com'
// relative links (no domains)
and .href_url.domain.domain is not null
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(., mode="aggressive").redirect_history
) > 0
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
and profile.by_sender().prevalence != "common"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free subdomain host"
- "Free file host"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
- "Whois"
- "HTML analysis"
id: "c7d17bfd-e571-55ba-a521-08d68b576740"