Detection rules › Sublime MQL
Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, PDF, QR code |
Event coverage
Rule body MQL
type.inbound
and (
any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(ml.logo_detect(.).brands,
.name == "Adobe" and .confidence in ("medium", "high")
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Adobe"
)
or any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(., "adobe (acrobat|sign)")
// negate PDF data, like "xmp:CreatorTool>Adobe Acrobat Pro (64-bit) 24.4.20272</xmp:CreatorTool>"
and not regex.icontains(.,
"(creatortool|producer|creator).{1,5}adobe acrobat"
)
)
)
)
)
or any(attachments,
.file_extension in $file_extensions_macros
and any(file.explode(.), .depth == 0 and .scan.docx.image_count > 0)
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., "*adobe*"))
)
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
(
(
.email.domain.valid
and (
strings.icontains(..scan.qr.data, .email.email)
or any(beta.scan_base64(..scan.qr.data,
format="url"
),
strings.icontains(., ..email.email)
)
)
)
or strings.icontains(.display_name, "undisclosed")
)
// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name,
.email.domain.sld
)
)
// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text,
.email.local_part
)
)
// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""
// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
// high confidence cred theft in body
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("high")
)
)
)
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.root_domain in (
"acrobat.com",
"adobecc.com",
"adobecces.com",
"adobeccstatic.com",
"adobe.com",
"adobeexchange.com",
"adobe-identity.com",
"adobe.io",
"adobejanus.com",
"adobelogin.com",
"adobe.net",
"adobeprojectm.com",
"adoberesources.net",
"adobesc.com",
"adobesign.com",
"adobestock.com",
"createjs.com",
"licensingstack.com",
"myportfolio.com",
"photoshop.com",
"typekit.com",
"typekit.net"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
- inbound message
any of:
any of
attachmentswhere all hold:any of:
- .file_type in $file_types_images
- .file_type is 'pdf'
any of:
any of
ml.logo_detect(.).brandswhere all hold:- .name is 'Adobe'
- .confidence in ('medium', 'high')
any of
ml.logo_detect(file.message_screenshot()).brandswhere:- .name is 'Adobe'
any of
file.explode(.)where:any of
.scan.strings.stringswhere all hold:- . matches 'adobe (acrobat|sign)'
not:
- . matches '(creatortool|producer|creator).{1,5}adobe acrobat'
any of
attachmentswhere all hold:- .file_extension in $file_extensions_macros
any of
file.explode(.)where all hold:- .depth is 0
- .scan.docx.image_count > 0
any of
file.explode(.)where:any of
.scan.strings.stringswhere:- . matches '*adobe*'
any of
attachmentswhere all hold:any of:
- .file_type in $file_types_images
- .file_type is 'pdf'
- .file_type in $file_extensions_macros
any of:
any of
file.explode(.)where all hold:- .scan.ocr.raw matches 'scan|camera'
- .scan.ocr.raw matches '\\bQR\\b|Q\\.R\\.|barcode'
any of
file.explode(.)where all hold:- .scan.qr.type is 'url'
any of
recipients.towhere any holds:any of:
all of:
- .email.domain.valid
any of:
- strings.icontains(.scan.qr.data)
any of
beta.scan_base64(.scan.qr.data)where:- strings.icontains(.)
- .display_name contains 'undisclosed'
any of
recipients.towhere:- strings.icontains(sender.display_name)
any of
recipients.towhere:- strings.icontains(body.current_thread.text)
- body.current_thread.text is missing
- body.current_thread.text is ''
- subject.subject matches '(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence in ('high')
not:
any of
headers.hopswhere all hold:- .authentication_results.compauth.verdict is set
- .authentication_results.compauth.verdict is 'pass'
- sender.email.domain.root_domain in ('acrobat.com', 'adobecc.com', 'adobecces.com', 'adobeccstatic.com', 'adobe.com', 'adobeexchange.com', 'adobe-identity.com', 'adobe.io', 'adobejanus.com', 'adobelogin.com', 'adobe.net', 'adobeprojectm.com', 'adoberesources.net', 'adobesc.com', 'adobesign.com', 'adobestock.com', 'createjs.com', 'licensingstack.com', 'myportfolio.com', 'photoshop.com', 'typekit.com', 'typekit.net')
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: attachments[].file_extension, attachments[].file_type, body.current_thread.text, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].authentication_results.compauth.verdict, recipients.to, recipients.to[].display_name, recipients.to[].email.domain.sld, recipients.to[].email.domain.valid, recipients.to[].email.email, recipients.to[].email.local_part, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: beta.scan_base64, file.explode, file.message_screenshot, ml.logo_detect, ml.nlu_classifier, regex.contains, regex.icontains, strings.icontains, strings.ilike. Reference lists: $file_extensions_macros, $file_types_images, $high_trust_sender_root_domains.
Indicators matched (39)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | pdf |
ml.logo_detect(attachments[]).brands[].name | equals | Adobe |
ml.logo_detect(attachments[]).brands[].confidence | member | medium |
ml.logo_detect(attachments[]).brands[].confidence | member | high |
ml.logo_detect(file.message_screenshot()).brands[].name | equals | Adobe |
regex.icontains | regex | adobe (acrobat|sign) |
regex.icontains | regex | (creatortool|producer|creator).{1,5}adobe acrobat |
strings.ilike | substring | *adobe* |
regex.icontains | regex | scan|camera |
regex.icontains | regex | \bQR\b|Q\.R\.|barcode |
file.explode(attachments[])[].scan.qr.type | equals | url |
strings.icontains | substring | undisclosed |
27 more
body.current_thread.text | equals | |
regex.contains | regex | (Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):) |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | high |
headers.hops[].authentication_results.compauth.verdict | equals | pass |
sender.email.domain.root_domain | member | acrobat.com |
sender.email.domain.root_domain | member | adobecc.com |
sender.email.domain.root_domain | member | adobecces.com |
sender.email.domain.root_domain | member | adobeccstatic.com |
sender.email.domain.root_domain | member | adobe.com |
sender.email.domain.root_domain | member | adobeexchange.com |
sender.email.domain.root_domain | member | adobe-identity.com |
sender.email.domain.root_domain | member | adobe.io |
sender.email.domain.root_domain | member | adobejanus.com |
sender.email.domain.root_domain | member | adobelogin.com |
sender.email.domain.root_domain | member | adobe.net |
sender.email.domain.root_domain | member | adobeprojectm.com |
sender.email.domain.root_domain | member | adoberesources.net |
sender.email.domain.root_domain | member | adobesc.com |
sender.email.domain.root_domain | member | adobesign.com |
sender.email.domain.root_domain | member | adobestock.com |
sender.email.domain.root_domain | member | createjs.com |
sender.email.domain.root_domain | member | licensingstack.com |
sender.email.domain.root_domain | member | myportfolio.com |
sender.email.domain.root_domain | member | photoshop.com |
sender.email.domain.root_domain | member | typekit.com |
sender.email.domain.root_domain | member | typekit.net |