Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with recipient email in link"
2description: "Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // a single recipient (this is in the link so there can be only one)
8 and length(recipients.to) == 1
9 and all(recipients.to, .email.domain.valid)
10 // a single PDF attachment
11 and length(filter(attachments, .file_type == "pdf")) == 1
12 // in the PDF attachment
13 and any(attachments,
14 .file_type == "pdf"
15 and all(recipients.to,
16 strings.icontains(..file_name, .email.domain.sld)
17 // now file.explode the attachment and look for the eamil address in links
18 and any(file.explode(..),
19 // there is only a single link
20 length(
21 filter(.scan.url.urls,
22 not strings.icontains(.url, 'mailto')
23 and not strings.istarts_with(.url, 'email:')
24 )
25 ) == 1
26 // that link contains the email address
27 and (
28 any(
29 // filter out mailto links
30 filter(.scan.url.urls,
31 not strings.icontains(.url, 'mailto')
32 and not strings.istarts_with(.url, 'email:')
33 ),
34 // in the URL
35 strings.icontains(.url, ...email.email)
36 or any(beta.scan_base64(.url,
37 format="url",
38 ignore_padding=true
39 ),
40 strings.icontains(., ..url)
41 )
42 )
43 // or in a QR code
44 or strings.icontains(.scan.qr.url.url, ..email.email)
45 or any(beta.scan_base64(.scan.qr.url.url,
46 format="url",
47 ignore_padding=true
48 ),
49 strings.icontains(., ...email.email)
50 )
51 )
52 )
53 )
54 )
55attack_types:
56 - "Credential Phishing"
57tactics_and_techniques:
58 - "PDF"
59 - "QR code"
60 - "Encryption"
61 - "Social engineering"
62detection_methods:
63 - "File analysis"
64 - "QR code analysis"
65 - "URL analysis"
66id: "0399d08f-57c6-58cb-87dc-8e58ccd0bc1b"