Attachment: Encrypted PDF with credential theft body

calendar Nov 8, 2025  ยท
Share on: linkedin copy

Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.

Sublime rule (View on GitHub)

 1name: "Attachment: Encrypted PDF with credential theft body"
 2description: "Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.exiftool.fields, .key == "Encryption")
10              or (
11                .scan.entropy.entropy > 7
12                and any(.scan.strings.strings, strings.icontains(., "/Encrypt"))
13              )
14          )
15          // Encrypted PDFs do not have child nodes with any data
16          and all(filter(file.explode(.), .depth > 0), .size == 0)
17  )
18  and (
19    any(ml.nlu_classifier(body.current_thread.text).intents,
20        .name == "cred_theft" and .confidence in ("medium", "high")
21    )
22    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
23           .name == "cred_theft" and .confidence in ("medium", "high")
24    )
25    or (
26      (
27        regex.icontains(body.current_thread.text,
28                        'PDF\s*(?:Access|Preview|Unlock|Decrypt)\s*(?:Pass)?code'
29        )
30        or (
31          (
32            length(body.current_thread.text) <= 10
33            or (body.current_thread.text is null)
34          )
35          and any(body.previous_threads,
36                  regex.icontains(.text,
37                                  'PDF\s*(?:Access|Preview|Unlock|Decrypt)\s*(?:Pass)?code'
38                  )
39          )
40        )
41      )
42    )
43  )
44  // not forwards/replies
45  and not (
46    (length(headers.references) > 0 or headers.in_reply_to is not null)
47    and (subject.is_forward or subject.is_reply)
48    and length(body.previous_threads) >= 1
49  )
50  and (
51    (
52      profile.by_sender_email().prevalence in ("new", "outlier")
53      and not profile.by_sender_email().solicited
54    )
55    or (
56      profile.by_sender_email().any_messages_malicious_or_spam
57      and not profile.by_sender_email().any_messages_benign
58    )
59    or (
60      length(recipients.to) == 0
61      or all(recipients.to,
62             strings.ilike(.display_name, "undisclosed?recipients")
63      )
64    )
65    or (
66      length(recipients.to) == 1
67      and any(recipients.to, .email.email == sender.email.email)
68    )
69  )
70  // negate highly trusted sender domains unless they fail DMARC authentication
71  and (
72    (
73      sender.email.domain.root_domain in $high_trust_sender_root_domains
74      and not headers.auth_summary.dmarc.pass
75    )
76    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
77  )  
78attack_types:
79  - "Credential Phishing"
80tactics_and_techniques:
81  - "Encryption"
82  - "Evasion"
83  - "PDF"
84  - "Social engineering"
85detection_methods:
86  - "Content analysis"
87  - "Exif analysis"
88  - "File analysis"
89  - "Natural Language Understanding"
90  - "Sender analysis"
91id: "c9596c9a-0465-5364-8523-542e6d25a8f7"
to-top