1+ name : " Brand impersonation: Adobe Sign with suspicious indicators"
2+ description : " Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers."
3+ type : " rule"
4+ severity : " high"
5+ source : |
6+ type.inbound
7+ and length(filter(attachments, .file_type == "pdf")) == 0
8+ and (
9+ regex.icontains(body.html.raw,
10+ 'alt="Adobe(?: Acrobat)? Sign"',
11+ "adobe-sign-logo.{0,20}.png",
12+ 'alt="Powered by Adobe Acrobat Sign"'
13+ )
14+ or any(html.xpath(body.html, "//img/@src").nodes,
15+ strings.parse_url(.raw).domain.root_domain == "adobesign.com"
16+ and (
17+ strings.istarts_with(strings.parse_url(.raw).path, "/cobrand_logo/")
18+ or strings.icontains(strings.parse_url(.raw).path, "checkmarkCircle")
19+ )
20+ )
21+ )
22+ and not (
23+ // inspect the "oldest" thread, negate where that thread is the original Adobe Sign email (based on link domains)
24+ (
25+ length(body.previous_threads[length(body.previous_threads) - 1].links) > 0
26+ and all(body.previous_threads[length(body.previous_threads) - 1].links,
27+ .href_url.domain.root_domain in (
28+ "aka.ms",
29+ "adobe.com",
30+ "adobesign.com",
31+ "echosign.com",
32+ "adobesignsandbox.com",
33+ "mimecastprotect.com",
34+ "mimecast.com"
35+ )
36+ or .href_url.domain.root_domain in $org_domains
37+ or .href_url.domain.root_domain == sender.email.domain.root_domain
38+ or any(recipients.to,
39+ .email.domain.root_domain == ..href_url.domain.root_domain
40+ )
41+ )
42+ )
43+ // legit review button
44+ or any(body.links,
45+ .display_text in (
46+ "Review and sign",
47+ "the document",
48+ "Open agreement",
49+ "VIEW DOCUMENTS",
50+ "Click here to review and sign"
51+ )
52+ and (
53+ .href_url.domain.root_domain in (
54+ "adobe.com",
55+ "adobesign.com",
56+ "echosign.com",
57+ "adobesignsandbox.com",
58+ )
59+ // Mimecast link logic
60+ or (
61+ .href_url.domain.root_domain in (
62+ "mimecastprotect.com",
63+ "mimecast.com"
64+ )
65+ and any(.href_url.query_params_decoded['domain'],
66+ strings.parse_domain(.).root_domain in (
67+ "adobe.com",
68+ "adobesign.com",
69+ "echosign.com",
70+ "adobesignsandbox.com",
71+ )
72+ )
73+ )
74+ )
75+ )
76+ // accidental recipient
77+ or any(recipients.to, .email.email == "[email protected] ") 78+ // known Adobe Sign messaage ID formats
79+ or (
80+ (length(headers.references) > 1 or length(body.previous_threads) != 0)
81+ and regex.imatch(headers.references[0],
82+ '[0-9]{9,10}\.[0-9]{4,6}\.[0-9]{13}@event-consumer-prod-[a-z]-[a-z0-9]{7,10}-[a-z0-9]{5}',
83+ '[0-9]{8,10}\.[0-9]{5,7}\.[0-9]{13}@(webapp|job)-prod-.*$',
84+ '[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}-APO-PRODHIPAA@apo-p-h'
85+ )
86+ )
87+ // negate Adobe Sign messages from custom domains
88+ or any(headers.hops,
89+ any(.fields, .name in ("Adobesigneventid", "Agreementid"))
90+ )
91+ )
92+ and not (
93+ sender.email.domain.root_domain in (
94+ "adobe.com",
95+ "adobesign.com",
96+ "adobesignsandbox.com",
97+ "echosign.com",
98+ // ticketing software that embeds emails
99+ "helpscout.net"
100+ )
101+ and headers.auth_summary.dmarc.pass
102+ )
103+ and (
104+ (
105+ sender.email.domain.root_domain in $high_trust_sender_root_domains
106+ and not headers.auth_summary.dmarc.pass
107+ )
108+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
109+ )
110+ attack_types :
111+ - " Credential Phishing"
112+ tactics_and_techniques :
113+ - " Impersonation: Brand"
114+ - " Social engineering"
115+ detection_methods :
116+ - " Content analysis"
117+ - " Header analysis"
118+ - " HTML analysis"
119+ - " Sender analysis"
120+ id : " 39e80ee0-890d-514c-af06-6befffa38580"
121+ og_id : " 704d143a-7ef2-5601-9e38-e659f0f65c8c"
122+ testing_pr : 3728
123+ testing_sha : bac109eea62a2b802076c53e58f88e8a77766cef
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments