Attachment: PDF with password in filename matching body text

calendar Feb 19, 2026  ยท
Share on: linkedin copy

Detects messages containing a single PDF attachment where the filename includes a numeric password that is explicitly referenced in the message body text.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with password in filename matching body text"
 2description: "Detects messages containing a single PDF attachment where the filename includes a numeric password that is explicitly referenced in the message body text."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type == "pdf")) == 1
 8  and any(regex.extract(body.current_thread.text, 'password is (?P<pw>[0-9]{1,})'),
 9          any(filter(attachments, .file_type == "pdf"),
10              strings.contains(.file_name, ..named_groups["pw"])
11          )
12  )  
13attack_types:
14  - "Malware/Ransomware"
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Encryption"
18  - "Evasion"
19  - "PDF"
20detection_methods:
21  - "Content analysis"
22  - "File analysis"
23id: "2c9c3b24-62de-539a-a217-219021f1014b"
to-top