From d9cf554d795c128837bf56368b45d94098c84e99 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Mon, 20 Nov 2023 09:45:21 -0800
Subject: [PATCH 1/2] Create impersonation_adobe_suspicious_language_link.yml

---
 ...onation_adobe_suspicious_language_link.yml | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 detection-rules/impersonation_adobe_suspicious_language_link.yml

diff --git a/detection-rules/impersonation_adobe_suspicious_language_link.yml b/detection-rules/impersonation_adobe_suspicious_language_link.yml
new file mode 100644
index 00000000000..993a07a41f3
--- /dev/null
+++ b/detection-rules/impersonation_adobe_suspicious_language_link.yml
@@ -0,0 +1,62 @@
+name: "Brand impersonation: Adobe with suspicious language and link"
+description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  and length(body.links) > 0
+  and any(ml.logo_detect(beta.message_screenshot()).brands,
+          .name == "Adobe" and .confidence in ("high")
+  )
+  and (
+    any(file.explode(beta.message_screenshot()),
+        strings.ilike(.scan.ocr.raw,
+                      "*review*",
+                      "*sign*",
+                      "*view*",
+                      "*completed document*",
+                      "*open agreement*",
+                      "*open document*"
+        )
+    )
+    or any(body.links,
+           strings.ilike(.display_text,
+                         "*review*",
+                         "*sign*",
+                         "*view*",
+                         "*completed document*",
+                         "*open agreement*",
+                         "*open document*"
+           )
+    )
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"

From 904d7f68bcb2562280eff0ec34757741d221bb6b Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Mon, 20 Nov 2023 17:48:29 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/impersonation_adobe_suspicious_language_link.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/impersonation_adobe_suspicious_language_link.yml b/detection-rules/impersonation_adobe_suspicious_language_link.yml
index 993a07a41f3..5cce19644c1 100644
--- a/detection-rules/impersonation_adobe_suspicious_language_link.yml
+++ b/detection-rules/impersonation_adobe_suspicious_language_link.yml
@@ -60,3 +60,4 @@ detection_methods:
   - "Content analysis"
   - "Header analysis"
   - "Sender analysis"
+id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"