Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with recipient email in link"
2description: "Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // one or more PDF documents
8 and length(filter(attachments, .file_type == "pdf")) >= 1
9 and length(attachments) <= 4
10 // a single recipient (this is in the link so there can be only one)
11 and length(recipients.to) == 1
12 and all(recipients.to, .email.domain.valid)
13 and any(filter(attachments,
14 .file_type == "pdf"
15 and (
16 // contains the SLD or local part of recipient
17 all(recipients.to,
18 strings.icontains(..file_name, .email.domain.sld)
19 or strings.icontains(..file_name, .email.local_part)
20 )
21 // contains financial refernces
22 or any(ml.nlu_classifier(.file_name).entities,
23 .name == "financial"
24 and strings.contains(..file_name, .text)
25 )
26 )
27 ),
28 (
29 // the urls in the PDF
30 any(filter(file.explode(.), .depth == 0),
31 // a single URL in the PDF
32 length(distinct(filter(.scan.pdf.urls,
33 // remove mailto: links
34 not strings.istarts_with(.url, 'mailto:')
35 and not strings.istarts_with(.url,
36 'email:'
37 )
38 // remove links found in exiftool output
39 and not (
40 ..scan.exiftool.producer is not null
41 and strings.icontains(..scan.exiftool.producer,
42 .domain.domain
43 )
44 )
45
46 // remove links found in exiftool output
47 and not (
48 ..scan.exiftool.creator is not null
49 and strings.icontains(..scan.exiftool.creator,
50 .domain.domain
51 )
52 )
53 // common observed invoice system that exhibits this behavior
54 and not .domain.root_domain == "univarsolutions.com"
55 ),
56 .url
57 )
58 ) == 1
59 // it contains the email address of the recipient
60 and any(recipients.to,
61 .email.domain.valid
62 and any(..scan.pdf.urls,
63 not strings.istarts_with(.url, 'mailto:')
64 and (
65 strings.icontains(.url, ..email.email)
66 // or the base64 encoded email
67 or any(beta.scan_base64(.url,
68 format="url",
69 ignore_padding=true
70 ),
71 strings.icontains(., ...email.email)
72 )
73 )
74 )
75 )
76 )
77 // or there is a QR code
78 or (
79 any(filter(file.explode(.), .depth == 1),
80 .scan.qr.url.domain.valid
81 and any(recipients.to,
82 // QR code contains the email
83 (
84 strings.icontains(..scan.qr.url.url, .email.email)
85 // QR code contains the base64 endcoded email
86 or any(beta.scan_base64(..scan.qr.url.url,
87 format="url",
88 ignore_padding=true
89 ),
90 strings.icontains(., ..email.email)
91 )
92 )
93 )
94 )
95 )
96 )
97 )
98attack_types:
99 - "Credential Phishing"
100tactics_and_techniques:
101 - "PDF"
102 - "QR code"
103 - "Encryption"
104 - "Social engineering"
105detection_methods:
106 - "File analysis"
107 - "QR code analysis"
108 - "URL analysis"
109id: "0399d08f-57c6-58cb-87dc-8e58ccd0bc1b"