Attachment: Legal themed message or PDF with suspicious indicators

Dec 1, 2025 ·
Detects messages with short body content or emoji containing PDF attachments from suspicious creators that include legal and compliance language with embedded malicious links, URL shorteners, or newly registered domains.
Sublime rule (View on GitHub)

  1name: "Attachment: Legal themed message or PDF with suspicious indicators"
  2description: "Detects messages with short body content or emoji containing PDF attachments from suspicious creators that include legal and compliance language with embedded malicious links, URL shorteners, or newly registered domains."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  // short body or contains emoji
  8  and (
  9    length(body.current_thread.text) < 1500
 10    or regex.contains(body.plain.raw,
 11                      '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
 12    )
 13    or regex.contains(subject.base,
 14                      '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
 15    )
 16  )
 17  
 18  // is not a reply
 19  and length(headers.references) == 0
 20  and headers.in_reply_to is null
 21  and (
 22    ( // only one attachment
 23      length(attachments) == 1
 24      // or, any 2 attachments share the ~same file name
 25      or any(attachments,
 26             any(regex.extract(.file_name,
 27                               // the regex extracts the file name, discarding the file extention and any numbers in parens
 28                               // "test.txt" and "test (1).pdf" become "test"
 29                               '(?P<file_name>.*?)(?:\s*\([^)]+\))*\.[^.]+$'
 30                 ),
 31                 length(filter(attachments,
 32                               strings.istarts_with(.file_name,
 33                                                    ..named_groups["file_name"]
 34                               )
 35                        )
 36                 ) > 1
 37             )
 38      )
 39    )
 40    // suspicious creator
 41    and any(attachments,
 42            (.file_extension == "pdf" or .file_type == "pdf")
 43            and any(file.explode(.),
 44                    strings.ilike(.scan.exiftool.producer,
 45                                  "*Google Docs Renderer*",
 46                                  "*Skia/PDF*",
 47                                  "*Neevia Document Converter*"
 48                    )
 49            )
 50    )
 51  )
 52  
 53  and (
 54    // legal language in body with suspicious link in attachment
 55    (
 56      any(ml.nlu_classifier(body.current_thread.text).topics,
 57          .name == "Legal and Compliance" and .confidence in ("medium", "high")
 58      )
 59      and any(attachments,
 60              (.file_extension == "pdf" or .file_type == "pdf")
 61              and any(file.explode(.),
 62                      0 < length(.scan.pdf.urls) < 5
 63                      and (
 64                        any(.scan.pdf.urls,
 65                            // with links that are URL shortners
 66                            .domain.root_domain in $url_shorteners
 67                            or .domain.domain in $url_shorteners
 68                            or network.whois(.domain).days_old < 14
 69                            // when visiting those links, the link it is sus
 70                            or ml.link_analysis(.).effective_url.domain.tld in $suspicious_tlds
 71                            or ml.link_analysis(.).credphish.contains_captcha
 72                            or ml.link_analysis(.).credphish.disposition == "phishing"
 73                            or strings.icontains(ml.link_analysis(.).final_dom.display_text,
 74                                                 "I'm Human"
 75                            )
 76                        )
 77                      )
 78              )
 79      )
 80    )
 81    // no body text, legal language in attachment
 82    or (
 83      length(body.current_thread.text) < 50
 84      and any(attachments,
 85              (.file_extension == "pdf" or .file_type == "pdf")
 86              and any(file.explode(.),
 87                      (
 88                        length(ml.nlu_classifier(.scan.ocr.raw).topics) == 1
 89                        and any(ml.nlu_classifier(.scan.ocr.raw).topics,
 90                                .name == "Legal and Compliance"
 91                                and .confidence in ("medium", "high")
 92                        )
 93                        and not any(ml.nlu_classifier(.scan.ocr.raw).entities,
 94                                .name == "sender"
 95                                and .text =~ sender.display_name
 96                        )
 97                      )
 98                      // foreign language indicators
 99                      or regex.icontains(.scan.ocr.raw,
100                                         'pornograph(y|ie)',
101                                         'interpol',
102                                         'europol',
103                                         'dissuade',
104                                         // French indicators, seen in threatening language
105                                         'ce jeu en ligne',
106                                         'vraie vie'
107                      )
108              )
109      )
110    )
111  )  
112attack_types:
113  - "Credential Phishing"
114  - "Extortion"
115  - "BEC/Fraud"
116tactics_and_techniques:
117  - "Evasion"
118  - "PDF"
119  - "Social engineering"
120detection_methods:
121  - "Content analysis"
122  - "File analysis"
123  - "Natural Language Understanding"
124  - "Optical Character Recognition"
125  - "URL analysis"
126  - "Whois"
127  - "Header analysis"
128  - "Exif analysis"
129id: "19133301-8bc0-5a91-b044-fb72cba16bbe"