Attachment: Invoice and W-9 PDFs with suspicious creators

Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, commonly used in business email compromise attacks targeting financial processes.

Sublime rule (View on GitHub)

 1name: "Attachment: Invoice and W-9 PDFs with suspicious creators"
 2description: "Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, commonly used in business email compromise attacks targeting financial processes."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(distinct(attachments, .sha1)) == 2
 8  and length(filter(attachments, .file_type == "pdf")) == 2
 9  // either of them are chrome/wkhtmltopdf
10  and any(filter(attachments, .file_type == "pdf"),
11          beta.parse_exif(.).creator == "Chromium"
12          or strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
13          or strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
14          or (
15            any(beta.parse_exif(.).fields, .key == "Creator" and .value == "")
16            and any(beta.parse_exif(.).fields,
17                    .key == "Producer" and .value == ""
18            )
19          )
20  )
21  and any(attachments,
22          strings.istarts_with(.file_name, 'lnv')
23          or strings.istarts_with(.file_name, 'inv-')
24          or strings.istarts_with(.file_name, "invoice_")
25          or regex.contains(.file_name, '^Invoice\s\d{8,9}')
26          or regex.contains(.file_name, '^INV[0-9]{7}')
27          or regex.contains(.file_name, '^INV#[0-9]{12}')
28          or regex.icontains(.file_name, '_inv_')
29          or strings.icontains(beta.ocr(.).text, "Executive Business Coaching")
30          or strings.icontains(beta.ocr(.).text, "Executive Coaching")
31          or strings.icontains(beta.ocr(.).text, "Professional Services")
32          or strings.icontains(beta.ocr(.).text, "Business Systems Integration")
33          or strings.icontains(beta.ocr(.).text, "Consulting & Advisory")
34          or strings.icontains(beta.ocr(.).text, "Zoomlnfo")
35  )
36  and any(attachments,
37          .file_name == ".pdf"
38          or regex.contains(beta.ocr(.).text, 'W[=-]9')
39          or regex.icontains(.file_name, 'w[-_]?9')
40  )
41  and not (
42    sender.email.domain.root_domain in ('intuit.com')
43    and coalesce(headers.auth_summary.dmarc.pass, false)
44  )  
45attack_types:
46  - "BEC/Fraud"
47tactics_and_techniques:
48  - "PDF"
49  - "Social engineering"
50  - "Impersonation: Brand"
51detection_methods:
52  - "File analysis"
53  - "Optical Character Recognition"
54  - "Exif analysis"
55  - "Content analysis"
56id: "305d6e32-4104-5007-a209-ee4686081de2"
to-top