Attachment: Legal themed message with PDF containing suspicious link

calendar Nov 19, 2025  ยท
Share on: linkedin copy

Message contains urgent legal language, with an attached PDF containing links that redirect through URL shorteners, use suspicious TLDs or CAPTCHA pages.

Sublime rule (View on GitHub)

 1name: "Attachment: Legal themed message with PDF containing suspicious link"
 2description: "Message contains urgent legal language, with an attached PDF containing links that redirect through URL shorteners, use suspicious TLDs or CAPTCHA pages."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // short body or contains emoji
 8  and (
 9    length(body.current_thread.text) < 1500
10    or regex.contains(body.plain.raw,
11                      '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
12    )
13  )
14  // legal with urgency
15  and any(ml.nlu_classifier(body.html.display_text).topics,
16          .name == "Legal and Compliance" and .confidence in ("medium", "high")
17  )
18  
19  // is not a reply
20  and length(headers.references) == 0
21  and headers.in_reply_to is null
22  and (
23    // only one attachment
24    length(attachments) == 1
25    // or, any 2 attachments share the ~same file name
26    or any(attachments,
27           any(regex.extract(.file_name,
28                             // the regex extracts the file name, discarding the file extention and any numbers in parens
29                             // "test.txt" and "test (1).pdf" become "test"
30                             '(?P<file_name>.*?)(?:\s*\([^)]+\))*\.[^.]+$'
31               ),
32               length(filter(attachments,
33                             strings.istarts_with(.file_name,
34                                                  ..named_groups["file_name"]
35                             )
36                      )
37               ) > 1
38           )
39    )
40  )
41  and any(attachments,
42          .file_extension == "pdf"
43          and any(file.explode(.),
44                  0 < length(.scan.pdf.urls) < 5
45                  and (
46                    // suspicious producer
47                    strings.ilike(.scan.exiftool.producer,
48                                  "*Google Docs Renderer*",
49                                  "*Skia/PDF*"
50                    )
51                    and any(.scan.pdf.urls,
52                            // with links that are URL shortners
53                            .domain.root_domain in $url_shorteners
54                            or .domain.domain in $url_shorteners
55                            or network.whois(.domain).days_old < 14
56                            // when visiting those links, the link it is sus
57                            or ml.link_analysis(.).effective_url.domain.tld in $suspicious_tlds
58                            or ml.link_analysis(.).credphish.contains_captcha
59                            or ml.link_analysis(.).credphish.disposition == "phishing"
60                            or strings.icontains(ml.link_analysis(.).final_dom.display_text,
61                                                 "I'm Human"
62                            )
63                    )
64                  )
65          )
66  )  
67attack_types:
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Evasion"
71  - "PDF"
72  - "Social engineering"
73detection_methods:
74  - "Content analysis"
75  - "File analysis"
76  - "Header analysis"
77  - "Natural Language Understanding"
78  - "URL analysis"
79id: "19133301-8bc0-5a91-b044-fb72cba16bbe"
to-top