EXPLORE
← Back to Explore
sublimehighRule

Brand impersonation: Adobe Acrobat Sign PDF phishing file format template

Detects specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        (
          any(ml.logo_detect(.).brands, .name == "Adobe")
          or strings.icontains(beta.ocr(.).text,
                               'Powered by Adobe Acrobat Sign'
          )
          or strings.icontains(beta.ocr(.).text, 'Adobe Acrobat Sign')
        )
        and strings.icontains(beta.ocr(.).text, 'File Format: PDF')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Adobe Acrobat Sign PDF phishing file format template"
description: "Detects  specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          (
            any(ml.logo_detect(.).brands, .name == "Adobe")
            or strings.icontains(beta.ocr(.).text,
                                 'Powered by Adobe Acrobat Sign'
            )
            or strings.icontains(beta.ocr(.).text, 'Adobe Acrobat Sign')
          )
          and strings.icontains(beta.ocr(.).text, 'File Format: PDF')
  )
  
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "PDF"
detection_methods:
  - "Computer Vision"
  - "Optical Character Recognition"
  - "File analysis"
id: "d2b1dee3-868e-5ac7-b729-fefc67b7d02f"