Attachment: Invoice and W-9 PDFs with suspicious creators

calendar Jan 21, 2026  ·
Share on: linkedin copy

Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, with at least one PDF generated by Chrome or wkhtmltopdf tools, commonly used in business email compromise attacks targeting financial processes.

Sublime rule (View on GitHub)

 1name: "Attachment: Invoice and W-9 PDFs with suspicious creators"
 2description: "Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, with at least one PDF generated by Chrome or wkhtmltopdf tools, commonly used in business email compromise attacks targeting financial processes."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(distinct(attachments, .sha1)) == 2
 8  and length(filter(attachments, .file_type == "pdf")) == 2
 9  // either of them are chrome/wkhtmltopdf
10  and any(filter(attachments, .file_type == "pdf"),
11          beta.parse_exif(.).creator == "Chromium"
12          or strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
13          or strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
14  )
15  and any(attachments,
16          strings.istarts_with(.file_name, 'lnv')
17          or strings.istarts_with(.file_name, 'inv-')
18          or strings.istarts_with(.file_name, "invoice_")
19          or regex.contains(.file_name, '^Invoice\s\d{8,9}')
20          or regex.contains(.file_name, '^INV[0-9]{7}')
21          or regex.contains(.file_name, '^INV#[0-9]{12}')
22          or strings.icontains(beta.ocr(.).text, "Executive Business Coaching")
23          or strings.icontains(beta.ocr(.).text, "Executive Coaching")
24          or strings.icontains(beta.ocr(.).text, "Professional Services")
25          or strings.icontains(beta.ocr(.).text, "Business Systems Integration")
26          or strings.icontains(beta.ocr(.).text, "Consulting & Advisory")
27          or strings.icontains(beta.ocr(.).text, "Zoomlnfo")
28  )
29  and any(attachments,
30          .file_name == ".pdf"
31          or regex.contains(beta.ocr(.).text, 'W[=-]9')
32          or regex.icontains(.file_name, 'w-?9')
33  )
34  and not (
35    sender.email.domain.root_domain in ('intuit.com')
36    and coalesce(headers.auth_summary.dmarc.pass, false)
37  )  
38attack_types:
39  - "BEC/Fraud"
40tactics_and_techniques:
41  - "PDF"
42  - "Social engineering"
43  - "Impersonation: Brand"
44detection_methods:
45  - "File analysis"
46  - "Optical Character Recognition"
47  - "Exif analysis"
48  - "Content analysis"
49id: "305d6e32-4104-5007-a209-ee4686081de2"
to-top