Attachment: PDF with localhost IP in EXIF title metadata
Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with localhost IP in EXIF title metadata"
2description: "Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // self sender or invaild recipent domain
8 and length(recipients.to) == 1
9 and (
10 sender.email.email == recipients.to[0].email.email
11 or recipients.to[0].email.domain.valid == false
12 )
13 and any(filter(attachments, .file_type == "pdf"),
14 strings.starts_with(beta.parse_exif(.).title, "127.0.0.1")
15 )
16attack_types:
17 - "Credential Phishing"
18 - "Malware/Ransomware"
19tactics_and_techniques:
20 - "PDF"
21 - "Evasion"
22detection_methods:
23 - "Exif analysis"
24 - "File analysis"
25 - "Sender analysis"
26id: "2649b4b9-5228-5b26-af5c-5b4e3b4a9926"