Attachment: Encrypted PDF With Credential Theft Body
Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.
Sublime rule (View on GitHub)
1name: "Attachment: Encrypted PDF With Credential Theft Body"
2description: "Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 .file_type == "pdf"
9 and any(file.explode(.),
10 any(.scan.exiftool.fields, .key == "Encryption")
11 )
12 )
13 and any(ml.nlu_classifier(body.current_thread.text).intents,
14 .name == "cred_theft" and .confidence in ("medium", "high")
15 )
16 and (
17 (
18 profile.by_sender().prevalence in ("new", "outlier")
19 and not profile.by_sender().solicited
20 )
21 or (
22 profile.by_sender().any_messages_malicious_or_spam
23 and not profile.by_sender().any_false_positives
24 )
25 )
26 // negate highly trusted sender domains unless they fail DMARC authentication
27 and (
28 (
29 sender.email.domain.root_domain in $high_trust_sender_root_domains
30 and not headers.auth_summary.dmarc.pass
31 )
32 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33 )
34
35attack_types:
36 - "Credential Phishing"
37tactics_and_techniques:
38 - "Encryption"
39 - "Evasion"
40 - "PDF"
41 - "Social engineering"
42detection_methods:
43 - "Content analysis"
44 - "Exif analysis"
45 - "File analysis"
46 - "Natural Language Understanding"
47 - "Sender analysis"
48id: "c9596c9a-0465-5364-8523-542e6d25a8f7"