Attachment: PDF with personal Microsoft OneNote URL

calendar Dec 4, 2025  ยท
Share on: linkedin copy

Detects PDF attachments containing a sharepoint URL referencing the senders personal OneNote.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with personal Microsoft OneNote URL"
 2description: "Detects PDF attachments containing a sharepoint URL referencing the senders personal OneNote."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type == "pdf")) >= 1
 8  and any(attachments,
 9          .file_type == "pdf"
10          and any(file.explode(.),
11                  any(.scan.url.urls,
12                      strings.icontains(.path,
13                                        strings.concat("/:o:/p/",
14                                                       sender.email.local_part
15                                        )
16                      )
17                      or strings.icontains(.path, "/:o:/g/personal/")
18                  )
19          )
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "PDF"
25  - "Social engineering"
26detection_methods:
27  - "File analysis"
28  - "Content analysis"
29id: "0675bbc5-b322-5bd6-a4ea-61dc5346d603"
to-top