Attachment: Fake voicemail via PDF

calendar Apr 30, 2026  ยท
Share on: linkedin copy

Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code.

Sublime rule (View on GitHub)

 1name: "Attachment: Fake voicemail via PDF"
 2description: "Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // a single PDF attachment
 8  and length(attachments) == 1
 9  // the subject doesn't contain fax, which is currently a common match for the topic
10  and not strings.icontains(subject.base, 'fax')
11  and (
12    length(body.current_thread.text) == 0
13    or (
14      ml.nlu_classifier(body.current_thread.text).language == "english"
15      and (
16        any(ml.nlu_classifier(body.current_thread.text).topics,
17            .confidence == "high"
18            and .name == "Voicemail Call and Missed Call Notifications"
19        )
20        or any(ml.nlu_classifier(body.current_thread.text).intents,
21               .confidence == "high" and .name == "bec"
22        )
23      )
24    )
25  )
26  // the Topic analysis of the PDF is Voicemail
27  and any(attachments,
28          .file_extension == "pdf"
29          // the NLU detected language is english
30          and ml.nlu_classifier(beta.ocr(.).text).language == "english"
31          and length(beta.ocr(.).text) > 95
32          and any(ml.nlu_classifier(beta.ocr(.).text).topics,
33                  .confidence == "high"
34                  and .name == "Voicemail Call and Missed Call Notifications"
35          )
36          and beta.ocr(.).success
37          // contains a link or QR code
38          and any(file.explode(.),
39                  0 < length(.scan.pdf.urls) <= 2 or .scan.qr.url.url is not null
40          )
41          // there is only a single page
42          and any(file.explode(.), .depth == 0 and .scan.exiftool.page_count == 1)
43  )
44  and not (
45    sender.email.domain.root_domain == "zendesk.com"
46    and coalesce(headers.auth_summary.dmarc.pass, false)
47  )  
48attack_types:
49  - "Credential Phishing"
50tactics_and_techniques:
51  - "PDF"
52  - "QR code"
53  - "Social engineering"
54detection_methods:
55  - "Computer Vision"
56  - "Content analysis"
57  - "File analysis"
58  - "Optical Character Recognition"
59  - "QR code analysis"
60  - "URL analysis"
61id: "d3587209-a8e6-5209-8dfc-35646b6ccd23"
to-top