Attachment: PDF with suspicious link and action-oriented language
Detects PDF attachments containing a single link that leads to pages with language prompting users to view, review, or read documents, accounts, or business-related content such as bids, proposals, agreements, or contracts.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with suspicious link and action-oriented language"
2description: "Detects PDF attachments containing a single link that leads to pages with language prompting users to view, review, or read documents, accounts, or business-related content such as bids, proposals, agreements, or contracts."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 1
8 and any(attachments,
9 .file_type == "pdf"
10 and beta.parse_exif(.).page_count == 1
11 and any(file.explode(.),
12 .depth == 0
13 // reduce fps by limiting the length to a single link
14 and length(.scan.url.urls) == 1
15 and any(filter(.scan.url.urls,
16 // remove mailto: links
17 not strings.istarts_with(.url, 'mailto:')
18 and not strings.istarts_with(.url, 'email:')
19 // remove links found in exiftool output
20 and not (
21 ..scan.exiftool.producer is not null
22 and strings.icontains(..scan.exiftool.producer,
23 .domain.domain
24 )
25 )
26
27 // remove links found in exiftool output
28 and not (
29 ..scan.exiftool.creator is not null
30 and strings.icontains(..scan.exiftool.creator,
31 .domain.domain
32 )
33 )
34 and not .domain.root_domain in ('pdf-tools.com')
35 ),
36 (
37 200 <= ml.link_analysis(.).status_code < 300
38 and length(ml.link_analysis(.).final_dom.links) < 100
39 and any(ml.link_analysis(.).final_dom.links,
40 .href_url.domain.root_domain != ..domain.root_domain
41 and regex.icontains(.display_text,
42 '\b(?:(?:re)?view|see|read)[\t\x20]*(?:\S+[\t\x20]*){0,3}[\t\x20]*(?:document|message|now)',
43 '\b(?:request|review)\b.{1,5}\b(?:bid|proposal|agreement|portfolio|contract|settlement|invoice)\b',
44 )
45 )
46 )
47 or (
48 200 <= ml.link_analysis(.).status_code < 300
49 and length(ml.link_analysis(.).final_dom.display_text) < 1050
50 and regex.icontains(ml.link_analysis(.).final_dom.display_text,
51 '\b(?:(?:re)?view|see|read)[\t\x20]*(?:\S+[\t\x20]*){0,3}[\t\x20]*(?:document|message|now)',
52 '\b(?:request|review)\b.{1,5}\b(?:bid|proposal|agreement|portfolio|contract|settlement|invoice)\b'
53 )
54 // a common fp in the .au for a payment system
55 and not strings.icontains(ml.link_analysis(.).final_dom.display_text,
56 'View Podium Message'
57 )
58 )
59 // the title contains high confidence indicators
60 or any(html.xpath(ml.link_analysis(.).final_dom,
61 '//title'
62 ).nodes,
63 strings.icontains(.raw, 'Secure Document')
64 )
65 )
66 )
67 )
68attack_types:
69 - "Credential Phishing"
70tactics_and_techniques:
71 - "PDF"
72 - "Social engineering"
73 - "Evasion"
74detection_methods:
75 - "File analysis"
76 - "URL analysis"
77 - "Content analysis"
78 - "URL screenshot"
79id: "816d33a0-5217-5b17-a656-f8ce888592cb"