heroui logo

Brand impersonation: Adobe (QR code)

Sublime Rules

View Source
Summary
The detection rule titled 'Brand impersonation: Adobe (QR code)' is designed to identify phishing attempts that utilize Adobe-branded images, particularly those containing QR codes. It examines messages from unsolicited senders, scrutinizing attachments that might include image-based lures, PDF files, or macro-based documents. The rule employs multiple methods including machine learning for logo detection, text string analysis, and file type verification to discern the presence of Adobe branding. Key indicators of phishing attempts include the use of QR codes linked to potentially malicious URLs or phishing sites, especially when these URLs incorporate the recipient's email domain—a common tactic in credential theft. The rule assesses the trustworthiness of the sender's domain and correlates it with DMARC authentication results, suppressing false positives from high-trust domains unless they fail authentication checks. Overall, it effectively combines visual analysis with heuristic techniques to enhance the identification of brand impersonation attacks.
Categories
  • Identity Management
  • Endpoint
  • Cloud
  • Web
  • Application
Data Sources
  • User Account
  • File
  • Network Traffic
  • Process
  • Application Log
Created: 2023-11-09