Attachment: Encrypted PDF With Credential Theft Body

Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.

Sublime rule (View on GitHub)

 1name: "Attachment: Encrypted PDF With Credential Theft Body"
 2description: "Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          and any(file.explode(.),
10                  any(.scan.exiftool.fields, .key == "Encryption")
11          )
12  )
13  and any(ml.nlu_classifier(body.current_thread.text).intents,
14          .name == "cred_theft" and .confidence in ("medium", "high")
15  )
16  and (
17    (
18      profile.by_sender().prevalence in ("new", "outlier")
19      and not profile.by_sender().solicited
20    )
21    or (
22      profile.by_sender().any_messages_malicious_or_spam
23      and not profile.by_sender().any_false_positives
24    )
25  )
26  // negate highly trusted sender domains unless they fail DMARC authentication
27  and (
28    (
29      sender.email.domain.root_domain in $high_trust_sender_root_domains
30      and not headers.auth_summary.dmarc.pass
31    )
32    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33  )  
34
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Encryption"
39  - "Evasion"
40  - "PDF"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Exif analysis"
45  - "File analysis"
46  - "Natural Language Understanding"
47  - "Sender analysis"
48id: "c9596c9a-0465-5364-8523-542e6d25a8f7"
to-top