detection.wiki

Detection rules › Sublime MQL

Link: Adobe share with suspicious indicators

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

The detection rule matches messages sent from Adobe and contain indicators of malicious use. The indicators include observed call to action phrases, suspicious filenames, all capital filenames, the sender's display name (as determined by NLU) included in the comment section, or Microsoft branding on the shared link.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Free file host

Event coverage

Message attribute
body
body.current_thread
body.html
body.links (collection)
headers.auth_summary
sender
sender.email
type

Rule body MQL

type.inbound
// from Adobe Actual
and strings.icontains(sender.display_name, 'via Adobe')
and sender.email.email == 'message@adobe.com'
and headers.auth_summary.dmarc.pass
// contains a link to open or review a share
and any(body.links, .display_text =~ "open" or .display_text =~ "review")

// not sent from a Adobe User within the org's domains
and not any($org_domains,
            strings.icontains(sender.display_name,
                              strings.concat("@", ., ' via Adobe')
            )
            // sometimes the email is in parentheses
            or strings.icontains(sender.display_name,
                                 strings.concat("@", ., ') via Adobe')
            )
)
and (
  // the comments observed wording, using the html to make sure it's in the actor controlled section of the message
  regex.icontains(body.html.raw,
                  '<tr>[\r\n]+<td style="color:#505050; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px; padding-top:20px;">[\r\n]+<xmp style="font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px overflow-x:auto; white-space:pre-wrap; white-space:-moz-pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;">Please review the attached below for your reference,'
  )
  // the filename shared
  or regex.icontains(body.html.raw,
                     // , ends in some random numbers
                     '<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>[^\<]+([]|[[:punct:]\s](?:AP|AR)?\d+[a-z]?)<\/strong></td>[\r\n]+</tr>'
  )
  // contains all capital letters, allowing for numbers
  or regex.contains(body.html.raw,
                    '<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>(?:[A-Z0-9_\-\s]+)<\/strong></td>[\r\n]+</tr>',
  )
  // contains commonly observed themes used by actors
  or regex.icontains(body.html.raw,
                     // , ends in some random numbers
                     '<td style=\"color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;\">[\r\n]+<strong>[^\<]+<\/strong> invited you to review <strong>[^\<]*(Invoice|Payment|Agreement|Settlements|Overdue|Confidential|Transaction)[^\<]*<\/strong></td>[\r\n]+</tr>'
  )
  // the NLU detected "sender" is included within the body wrapped with new lines indicating it's a "signature"
  or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
                .name == "sender"
                and .text not in ('Customer Support', 'SHARED ON')
                // in some cases the filename is detected as the sender
                // we can filter out this case when the detected "sender"
                // text is the file shared
                and not strings.icontains(body.current_thread.text,
                                          strings.concat("invited you to edit\n",
                                                         .text,
                                                         "\nOpen"
                                          )
                )
         ),
         strings.icontains(body.current_thread.text,
                           strings.concat("\n", .text, "\n")
         )
  )
  // finally we'll hit the actual page and see if we can get some enrichment functions to give up some gold
  or any(filter(body.links,
                .display_text =~ "open" or .display_text =~ "review"
         ),
         // detected as Microsoft
         any(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot).brands,
             .name in ("Microsoft") and .confidence == "high"
         )
  )
)

Detection logic

Scope: inbound message.

The detection rule matches messages sent from Adobe and contain indicators of malicious use. The indicators include observed call to action phrases, suspicious filenames, all capital filenames, the sender's display name (as determined by NLU) included in the comment section, or Microsoft branding on the shared link.

  1. inbound message
  2. sender.display_name contains 'via Adobe'
  3. sender.email.email is 'message@adobe.com'
  4. headers.auth_summary.dmarc.pass
  5. any of body.links where any holds:
    • .display_text is 'open'
    • .display_text is 'review'
  6. not:
    • any of $org_domains where any holds:
      • strings.icontains(sender.display_name)
      • strings.icontains(sender.display_name)
  7. any of:
    • body.html.raw matches '<tr>[\\r\\n]+<td style="color:#505050; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px; padding-top:20px;">[\\r\\n]+<xmp style="font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px overflow-x:auto; white-space:pre-wrap; white-space:-moz-pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;">Please review the attached below for your reference,'
    • body.html.raw matches '<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\\r\\n]+<strong>[^\\<]+<\\/strong> (invited you to review|has shared) <strong>[^\\<]+([]|[[:punct:]\\s](?:AP|AR)?\\d+[a-z]?)<\\/strong></td>[\\r\\n]+</tr>'
    • body.html.raw matches '<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\\r\\n]+<strong>[^\\<]+<\\/strong> (invited you to review|has shared) <strong>(?:[A-Z0-9_\\-\\s]+)<\\/strong></td>[\\r\\n]+</tr>'
    • body.html.raw matches '<td style=\\"color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;\\">[\\r\\n]+<strong>[^\\<]+<\\/strong> invited you to review <strong>[^\\<]*(Invoice|Payment|Agreement|Settlements|Overdue|Confidential|Transaction)[^\\<]*<\\/strong></td>[\\r\\n]+</tr>'
    • any of filter(...) where:
      • strings.icontains(body.current_thread.text)
    • any of filter(body.links) where:
      • any of ml.logo_detect(ml.link_analysis(., mode='aggressive').screenshot).brands where all hold:
        • .name in ('Microsoft')
        • .confidence is 'high'

Inspects: body.current_thread.text, body.html.raw, body.links, body.links[].display_text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.email, type.inbound. Sensors: ml.link_analysis, ml.logo_detect, ml.nlu_classifier, regex.contains, regex.icontains, strings.concat, strings.icontains. Reference lists: $org_domains.

Indicators matched (13)

FieldMatchValue
strings.icontainssubstringvia Adobe
sender.email.emailequalsmessage@adobe.com
body.links[].display_textequalsopen
body.links[].display_textequalsreview
regex.icontainsregex<tr>[\r\n]+<td style="color:#505050; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px; padding-top:20px;">[\r\n]+<xmp style="font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px overflow-x:auto; white-space:pre-wrap; white-space:-moz-pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;">Please review the attached below for your reference,
regex.icontainsregex<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>[^\<]+([]|[[:punct:]\s](?:AP|AR)?\d+[a-z]?)<\/strong></td>[\r\n]+</tr>
regex.containsregex<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>(?:[A-Z0-9_\-\s]+)<\/strong></td>[\r\n]+</tr>
regex.icontainsregex<td style=\"color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;\">[\r\n]+<strong>[^\<]+<\/strong> invited you to review <strong>[^\<]*(Invoice|Payment|Agreement|Settlements|Overdue|Confidential|Transaction)[^\<]*<\/strong></td>[\r\n]+</tr>
ml.nlu_classifier(body.current_thread.text).entities[].nameequalssender
ml.nlu_classifier(body.current_thread.text).entities[].textmemberCustomer Support
ml.nlu_classifier(body.current_thread.text).entities[].textmemberSHARED ON
ml.logo_detect(ml.link_analysis(filter(body.links)[], mode='aggressive').screenshot).brands[].namememberMicrosoft
1 more
ml.logo_detect(ml.link_analysis(filter(body.links)[], mode='aggressive').screenshot).brands[].confidenceequalshigh