Attachment: PDF with specific author metadata

calendar Jun 1, 2026  ยท
Share on: linkedin copy

Detects inbound messages containing PDF attachments where the EXIF metadata indicates the author or creator is 'Shelby Porter'.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with specific author metadata"
 2description: "Detects inbound messages containing PDF attachments where the EXIF metadata indicates the author or creator is 'Shelby Porter'."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type == "pdf")) >= 1
 8  and any(filter(attachments, .file_type == "pdf"),
 9          beta.parse_exif(.).author == "Shelby Porter"
10          or beta.parse_exif(.).creator == "Shelby Porter"
11  )
12    
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "PDF"
17detection_methods:
18  - "Exif analysis"
19  - "File analysis"
20id: "526238f7-82f1-5b6f-8e0c-b90f1e06cea8"
to-top