Attachment: Adobe branded PDF file linking to a password-protected file from first-time sender

 1name: "Attachment: Adobe branded PDF file linking to a password-protected file from first-time sender"
 2description: |
 3  Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
 4  abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          .file_extension == "pdf"
11          and any(file.explode(.),
12                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
13                      .name == "cred_theft" and .confidence == "high"
14                  )
15                  and strings.icontains(.scan.ocr.raw, "password-protected")
16                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
17                          .name == "org" and .text == "Adobe"
18                  )
19          )
20  )
21  and (
22    (
23      sender.email.domain.root_domain in $free_email_providers
24      and sender.email.email not in $sender_emails
25    )
26    or (
27      sender.email.domain.root_domain not in $free_email_providers
28      and sender.email.domain.domain not in $sender_domains
29    )
30  )  
31attack_types:
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Encryption"
35  - "Evasion"
36  - "Impersonation: Brand"
37  - "PDF"
38detection_methods:
39  - "Archive analysis"
40  - "File analysis"
41  - "Natural Language Understanding"
42  - "Optical Character Recognition"
43  - "Sender analysis"
44id: "5ea75469-58e8-561e-9a19-24da14a946b7"