Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)

Detects messages with credential theft PDFs linking to free subdomains.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)"
 2description: |
 3    Detects messages with credential theft PDFs linking to free subdomains.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "cred_theft" and .confidence in ("medium", "high")
10  )
11  and any(attachments,
12          .file_extension == "pdf"
13          and any(file.explode(.),
14                  any(.scan.pdf.urls,
15                      .domain.root_domain in $free_subdomain_hosts
16                      and .domain.subdomain is not null
17                      and .domain.subdomain != "www"
18                  )
19                  and any(ml.nlu_classifier(.scan.ocr.raw).intents,
20                          .name == "cred_theft" and .confidence in ("medium", "high")
21                  )
22          )
23  )
24  // unsolicited
25  and (
26    not profile.by_sender().solicited
27    or profile.by_sender().any_messages_malicious_or_spam
28  )
29
30  and not profile.by_sender().any_false_positives  
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Free subdomain host"
35  - "PDF"
36  - "Social engineering"
37detection_methods:
38  - "File analysis"
39  - "Natural Language Understanding"
40  - "Optical Character Recognition"
41  - "Sender analysis"
42  - "URL analysis"
43id: "90f4ef4e-463f-5ea6-ae83-82ea07a30b70"
to-top