Attachment: PDF proposal with credential theft indicators
PDF attachment with 'proposal' in filename contains sender or recipient domain, credential theft language detected via OCR, and includes a single URL link.
Sublime rule (View on GitHub)
1name: "Attachment: PDF proposal with credential theft indicators"
2description: "PDF attachment with 'proposal' in filename contains sender or recipient domain, credential theft language detected via OCR, and includes a single URL link."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and not (
8 (subject.is_reply or subject.is_forward)
9 and (length(headers.references) > 0 or headers.in_reply_to is not null)
10 )
11 // a single PDFs
12 and length(filter(attachments, .file_type == "pdf")) == 1
13 and any(attachments,
14 .file_type == "pdf"
15 and regex.icontains(.file_name, '(?:proposal|bid|document|rf[pq])\b')
16 and beta.parse_exif(.).page_count == 1
17 // OCR is cred_theft
18 and any(ml.nlu_classifier(beta.ocr(.).text).intents,
19 .name == "cred_theft"
20 )
21 and length(beta.ocr(.).text) < 2000
22 and beta.ocr(.).success
23 // contains exactly one link on the root pdf
24 and any(file.explode(.),
25 .depth == 0
26 and length(.scan.url.urls) == 1
27 and all(.scan.url.urls,
28 .domain.root_domain not in (
29 'iso.org',
30 'w3.org',
31 'bfo.com', // pdf producer
32 'camscanner.com', // pdf producer
33 )
34 and not strings.istarts_with(.url, 'mailto')
35 )
36 )
37 )
38 // negate highly trusted sender domains unless they fail DMARC authentication
39 and not (
40 sender.email.domain.root_domain in $high_trust_sender_root_domains
41 and coalesce(headers.auth_summary.dmarc.pass, false)
42 )
43attack_types:
44 - "Credential Phishing"
45tactics_and_techniques:
46 - "PDF"
47 - "Social engineering"
48 - "Evasion"
49detection_methods:
50 - "File analysis"
51 - "Natural Language Understanding"
52 - "Optical Character Recognition"
53 - "URL analysis"
54id: "364658e4-8a02-5632-a5ee-11bd869fb896"