Attachment: Invoice and W-9 PDFs with suspicious creators
Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, commonly used in business email compromise attacks targeting financial processes.
Sublime rule (View on GitHub)
1name: "Attachment: Invoice and W-9 PDFs with suspicious creators"
2description: "Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, commonly used in business email compromise attacks targeting financial processes."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(distinct(attachments, .sha1)) == 2
8 and length(filter(attachments, .file_type == "pdf")) == 2
9 // either of them are chrome/wkhtmltopdf
10 and any(filter(attachments, .file_type == "pdf"),
11 beta.parse_exif(.).creator == "Chromium"
12 or strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
13 or strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
14 or (
15 any(beta.parse_exif(.).fields, .key == "Creator" and .value == "")
16 and any(beta.parse_exif(.).fields,
17 .key == "Producer" and .value == ""
18 )
19 )
20 )
21 and any(attachments,
22 strings.istarts_with(.file_name, 'lnv')
23 or strings.istarts_with(.file_name, 'inv-')
24 or strings.istarts_with(.file_name, "invoice_")
25 or regex.contains(.file_name, '^Invoice\s\d{8,9}')
26 or regex.contains(.file_name, '^INV[0-9]{7}')
27 or regex.contains(.file_name, '^INV#[0-9]{12}')
28 or regex.icontains(.file_name, '_inv_')
29 or strings.icontains(beta.ocr(.).text, "Executive Business Coaching")
30 or strings.icontains(beta.ocr(.).text, "Executive Coaching")
31 or strings.icontains(beta.ocr(.).text, "Professional Services")
32 or strings.icontains(beta.ocr(.).text, "Business Systems Integration")
33 or strings.icontains(beta.ocr(.).text, "Consulting & Advisory")
34 or strings.icontains(beta.ocr(.).text, "Zoomlnfo")
35 )
36 and any(attachments,
37 .file_name == ".pdf"
38 or regex.contains(beta.ocr(.).text, 'W[=-]9')
39 or regex.icontains(.file_name, 'w[-_]?9')
40 )
41 and not (
42 sender.email.domain.root_domain in ('intuit.com')
43 and coalesce(headers.auth_summary.dmarc.pass, false)
44 )
45attack_types:
46 - "BEC/Fraud"
47tactics_and_techniques:
48 - "PDF"
49 - "Social engineering"
50 - "Impersonation: Brand"
51detection_methods:
52 - "File analysis"
53 - "Optical Character Recognition"
54 - "Exif analysis"
55 - "Content analysis"
56id: "305d6e32-4104-5007-a209-ee4686081de2"