Attachment: Encrypted PDF With Credential Theft Body

 1name: "Attachment: Encrypted PDF With Credential Theft Body"
 2description: "Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          and any(file.explode(.),
10                  any(.scan.exiftool.fields, .key == "Encryption")
11                  or (
12                    .scan.entropy.entropy > 7
13                    and any(.scan.strings.strings,
14                            strings.icontains(., "/Encrypt")
15                    )
16                  )
17          )
18  )
19  and any(ml.nlu_classifier(body.current_thread.text).intents,
20          .name == "cred_theft" and .confidence in ("medium", "high")
21  )
22  and (
23    (
24      profile.by_sender().prevalence in ("new", "outlier")
25      and not profile.by_sender().solicited
26    )
27    or (
28      profile.by_sender().any_messages_malicious_or_spam
29      and not profile.by_sender().any_false_positives
30    )
31  )
32  // negate highly trusted sender domains unless they fail DMARC authentication
33  and (
34    (
35      sender.email.domain.root_domain in $high_trust_sender_root_domains
36      and not headers.auth_summary.dmarc.pass
37    )
38    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39  )  
40
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "Encryption"
45  - "Evasion"
46  - "PDF"
47  - "Social engineering"
48detection_methods:
49  - "Content analysis"
50  - "Exif analysis"
51  - "File analysis"
52  - "Natural Language Understanding"
53  - "Sender analysis"
54id: "c9596c9a-0465-5364-8523-542e6d25a8f7"