Attachment: PDF with localhost IP in EXIF title metadata

Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with localhost IP in EXIF title metadata"
 2description: "Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // self sender or invaild recipent domain
 8  and length(recipients.to) == 1
 9  and (
10    sender.email.email == recipients.to[0].email.email
11    or recipients.to[0].email.domain.valid == false
12  )
13  and any(filter(attachments, .file_type == "pdf"),
14          strings.starts_with(beta.parse_exif(.).title, "127.0.0.1")
15  )  
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "PDF"
21  - "Evasion"
22detection_methods:
23  - "Exif analysis"
24  - "File analysis"
25  - "Sender analysis"
26id: "2649b4b9-5228-5b26-af5c-5b4e3b4a9926"
to-top