Attachment: Fake Voicemail via PDF

 1name: "Attachment: Fake Voicemail via PDF"
 2description: "Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // a single PDF attachment
 8  and length(attachments) == 1
 9  // the subject doesn't contain fax, which is currently a common match for the topic
10  and not strings.icontains(subject.subject, 'fax')
11  and ml.nlu_classifier(subject.subject).language == "english"
12  and any(beta.ml_topic(body.current_thread.text).topics,
13          .confidence == "high"
14          and .name == "Voicemail Call and Missed Call Notifications"
15  )
16  // the Topic analysis of the PDF is Voicemail
17  and any(attachments,
18          .file_extension == "pdf"
19          // the NLU detected language is english
20          and ml.nlu_classifier(beta.ocr(.).text).language == "english"
21          and length(beta.ocr(.).text) > 100
22          and any(beta.ml_topic(beta.ocr(.).text).topics,
23                  .confidence == "high"
24                  and .name == "Voicemail Call and Missed Call Notifications"
25          )
26          and beta.ocr(.).success
27          // contains a link or QR code
28          and any(file.explode(.),
29                  0 < length(.scan.pdf.urls) <= 2 or .scan.qr.url.url is not null
30          )
31          // there is only a single page
32          and any(file.explode(.), .depth == 0 and .scan.exiftool.page_count == 1)
33  )  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "PDF"
38  - "QR code"
39  - "Social engineering"
40detection_methods:
41  - "Computer Vision"
42  - "Content analysis"
43  - "File analysis"
44  - "Optical Character Recognition"
45  - "QR code analysis"
46  - "URL analysis"
47id: "d3587209-a8e6-5209-8dfc-35646b6ccd23"