Link to auto-downloaded file with Adobe branding

name: "Link to auto-downloaded file with Adobe branding"
description: |
  A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.
type: "rule"
references:
  - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
  - "https://twitter.com/ankit_anubhav/status/1578257383133876225"
severity: "high"
source: |
  type.inbound
  and any(body.links,
          // There are files downloaded
          length(ml.link_analysis(.).files_downloaded) > 0
          and 

          // Adobe branding
          ml.link_analysis(.).credphish.brand.name == "Adobe"
          and ml.link_analysis(.).credphish.brand.confidence == "high"
          and 

          // Qakbot text for user coercion
          any(file.explode(ml.link_analysis(.).screenshot),
              all(["the file is not displayed correctly", "document password"],
                  strings.icontains(..scan.ocr.raw, .)
              )
          )
  )
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
tags:
  - "Malfam: QakBot"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
  - "URL screenshot"
id: "e826c2cf-740c-5588-b0a1-8f45bb5baf47"