← Back to Explore
sublimehighRule
Brand impersonation: Adobe Acrobat Sign PDF phishing file format template
Detects specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
(
any(ml.logo_detect(.).brands, .name == "Adobe")
or strings.icontains(beta.ocr(.).text,
'Powered by Adobe Acrobat Sign'
)
or strings.icontains(beta.ocr(.).text, 'Adobe Acrobat Sign')
)
and strings.icontains(beta.ocr(.).text, 'File Format: PDF')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Adobe Acrobat Sign PDF phishing file format template"
description: "Detects specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
(
any(ml.logo_detect(.).brands, .name == "Adobe")
or strings.icontains(beta.ocr(.).text,
'Powered by Adobe Acrobat Sign'
)
or strings.icontains(beta.ocr(.).text, 'Adobe Acrobat Sign')
)
and strings.icontains(beta.ocr(.).text, 'File Format: PDF')
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "PDF"
detection_methods:
- "Computer Vision"
- "Optical Character Recognition"
- "File analysis"
id: "d2b1dee3-868e-5ac7-b729-fefc67b7d02f"