Attachment: Encrypted PDF with credential theft body
Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.
Sublime rule (View on GitHub)
1name: "Attachment: Encrypted PDF with credential theft body"
2description: "Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 .file_type == "pdf"
9 and any(file.explode(.),
10 any(.scan.exiftool.fields, .key == "Encryption")
11 or (
12 .scan.entropy.entropy > 7
13 and any(.scan.strings.strings,
14 strings.icontains(., "/Encrypt")
15 )
16 )
17 )
18 )
19 and (
20 any(ml.nlu_classifier(body.current_thread.text).intents,
21 .name == "cred_theft" and .confidence in ("medium", "high")
22 )
23 or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
24 .name == "cred_theft" and .confidence in ("medium", "high")
25 )
26 or (
27 (
28 regex.icontains(body.current_thread.text,
29 'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
30 )
31 or (
32 (
33 length(body.current_thread.text) <= 10
34 or (body.current_thread.text is null)
35 )
36 and any(body.previous_threads,
37 regex.icontains(.text,
38 'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
39
40 )
41 )
42 )
43 )
44 )
45 )
46 and (
47 (
48 profile.by_sender_email().prevalence in ("new", "outlier")
49 and not profile.by_sender_email().solicited
50 )
51 or (
52 profile.by_sender_email().any_messages_malicious_or_spam
53 and not profile.by_sender_email().any_false_positives
54 )
55 )
56 // negate highly trusted sender domains unless they fail DMARC authentication
57 and (
58 (
59 sender.email.domain.root_domain in $high_trust_sender_root_domains
60 and not headers.auth_summary.dmarc.pass
61 )
62 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
63 )
64
65attack_types:
66 - "Credential Phishing"
67tactics_and_techniques:
68 - "Encryption"
69 - "Evasion"
70 - "PDF"
71 - "Social engineering"
72detection_methods:
73 - "Content analysis"
74 - "Exif analysis"
75 - "File analysis"
76 - "Natural Language Understanding"
77 - "Sender analysis"
78id: "c9596c9a-0465-5364-8523-542e6d25a8f7"