Attachment: Encrypted PDF with credential theft body

Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.

Sublime rule (View on GitHub)

 1name: "Attachment: Encrypted PDF with credential theft body"
 2description: "Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          and any(file.explode(.),
10                  any(.scan.exiftool.fields, .key == "Encryption")
11                  or (
12                    .scan.entropy.entropy > 7
13                    and any(.scan.strings.strings,
14                            strings.icontains(., "/Encrypt")
15                    )
16                  )
17          )
18  )
19  and (
20    any(ml.nlu_classifier(body.current_thread.text).intents,
21        .name == "cred_theft" and .confidence in ("medium", "high")
22    )
23    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
24           .name == "cred_theft" and .confidence in ("medium", "high")
25    )
26    or (
27      (
28        regex.icontains(body.current_thread.text,
29                        'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
30        )
31        or ( 
32          (
33            length(body.current_thread.text) <= 10
34            or (body.current_thread.text is null)
35          )
36          and any(body.previous_threads,
37                  regex.icontains(.text,
38                                  'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
39
40                  )
41          )
42        )
43      )
44    )
45  )
46  and (
47    (
48      profile.by_sender_email().prevalence in ("new", "outlier")
49      and not profile.by_sender_email().solicited
50    )
51    or (
52      profile.by_sender_email().any_messages_malicious_or_spam
53      and not profile.by_sender_email().any_false_positives
54    )
55  )
56  // negate highly trusted sender domains unless they fail DMARC authentication
57  and (
58    (
59      sender.email.domain.root_domain in $high_trust_sender_root_domains
60      and not headers.auth_summary.dmarc.pass
61    )
62    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
63  )  
64
65attack_types:
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Encryption"
69  - "Evasion"
70  - "PDF"
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "Exif analysis"
75  - "File analysis"
76  - "Natural Language Understanding"
77  - "Sender analysis"
78id: "c9596c9a-0465-5364-8523-542e6d25a8f7"
to-top