← Back to Explore
sublimemediumRule
Attachment: Adobe Sign lure PDF with embedded banner images
Detects inbound messages containing PDF attachments that contain embedded banner images mimicking Adobe Sign branding, commonly used to deceive recipients into believing the document is legitimate.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches, .name == 'adobe_sign_lure_banner_images')
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Adobe Sign lure PDF with embedded banner images"
description: "Detects inbound messages containing PDF attachments that contain embedded banner images mimicking Adobe Sign branding, commonly used to deceive recipients into believing the document is legitimate."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches, .name == 'adobe_sign_lure_banner_images')
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "Impersonation: Brand"
detection_methods:
- "File analysis"
- "YARA"
id: "f27f40ff-3349-50a6-ade3-182b069775c2"