Attachment: Legal Themed Message with PDF Containing Suspicious Link

calendar Jun 6, 2025  ยท
Share on: linkedin copy

Message contains urgent legal language, with an attached PDF containing links that redirect through URL shorteners, use suspicious TLDs or CAPTCHA pages.

Sublime rule (View on GitHub)

 1name: "Attachment: Legal Themed Message with PDF Containing Suspicious Link"
 2description: "Message contains urgent legal language, with an attached PDF containing links that redirect through URL shorteners, use suspicious TLDs or CAPTCHA pages."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // short body
 8  and length(body.current_thread.text) < 1500
 9  // // legal with urgency
10  and any(beta.ml_topic(body.html.display_text).topics,
11          .name == "Legal and Compliance" and .confidence in ("medium", "high")
12  )
13  
14  // is not a reply
15  and length(headers.references) == 0
16  and headers.in_reply_to is null
17  
18  and (
19    // only one attachment
20    length(attachments) == 1
21    // or, any 2 attachments share the ~same file name
22    or any(attachments,
23           any(regex.extract(.file_name,
24                             // the regex extracts the file name, discarding the file extention and any numbers in parens
25                             // "test.txt" and "test (1).pdf" become "test"
26                             '(?P<file_name>.*?)(?:\s*\([^)]+\))*\.[^.]+$'
27               ),
28               length(filter(attachments,
29                             strings.istarts_with(.file_name,
30                                                  ..named_groups["file_name"]
31                             )
32                      )
33               ) > 1
34           )
35    )
36  )
37  
38  and any(attachments,
39          .file_extension == "pdf"
40          and any(file.explode(.),
41                  0 < length(.scan.pdf.urls) < 5
42                  and (
43                    // exported from google docs
44                    strings.icontains(.scan.exiftool.producer,
45                                      "Google Docs Renderer"
46                    )
47                    and any(.scan.pdf.urls,
48                           // with links that are URL shortners
49                           .domain.root_domain in $url_shorteners
50                           or .domain.domain in $url_shorteners
51                           // when visiting those links, the link it is sus
52                           or ml.link_analysis(.).effective_url.domain.tld in $suspicious_tlds
53                           or ml.link_analysis(.).credphish.contains_captcha
54                           or ml.link_analysis(.).credphish.disposition == "phishing"
55                           or strings.icontains(ml.link_analysis(.).final_dom.display_text,
56                                                "I'm Human"
57                           )
58                    )
59                  )
60          )
61  )
62    
63
64attack_types:
65  - "Credential Phishing"
66tactics_and_techniques:
67  - "Evasion"
68  - "PDF"
69  - "Social engineering"
70detection_methods:
71  - "Content analysis"
72  - "File analysis"
73  - "Header analysis"
74  - "Natural Language Understanding"
75  - "URL analysis"
76id: "19133301-8bc0-5a91-b044-fb72cba16bbe"
to-top