Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with recipient email in link"
2description: "Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // one or more PDF documents
8 and length(filter(attachments, .file_type == "pdf")) >= 1
9 and length(attachments) <= 4
10 // a single recipient (this is in the link so there can be only one)
11 and length(recipients.to) == 1
12 and all(recipients.to, .email.domain.valid)
13 and any(filter(attachments,
14 .file_type == "pdf"
15 and (
16 // contains the SLD of recipient
17 all(recipients.to,
18 strings.icontains(..file_name, .email.domain.sld)
19 )
20 // contains financial refernces
21 or any(ml.nlu_classifier(.file_name).entities,
22 .name == "financial"
23 and strings.contains(..file_name, .text)
24 )
25 )
26 ),
27 (
28 // the urls in the PDF
29 any(filter(file.explode(.), .depth == 0),
30 // a single URL in the PDF
31 length(distinct(filter(.scan.pdf.urls,
32 // remove mailto: links
33 not strings.istarts_with(.url, 'mailto:')
34 and not strings.istarts_with(.url,
35 'email:'
36 )
37 // remove links found in exiftool output
38 and not (
39 ..scan.exiftool.producer is not null
40 and strings.icontains(..scan.exiftool.producer,
41 .domain.domain
42 )
43 )
44
45 // remove links found in exiftool output
46 and not (
47 ..scan.exiftool.creator is not null
48 and strings.icontains(..scan.exiftool.creator,
49 .domain.domain
50 )
51 )
52 // common observed invoice system that exhibits this behavior
53 and not .domain.root_domain == "univarsolutions.com"
54 ),
55 .url
56 )
57 ) == 1
58 // it contains the email address of the recipient
59 and any(recipients.to,
60 .email.domain.valid
61 and any(..scan.pdf.urls,
62 not strings.istarts_with(.url, 'mailto:')
63 and (
64 strings.icontains(.url, ..email.email)
65 // or the base64 encoded email
66 or any(beta.scan_base64(.url,
67 format="url",
68 ignore_padding=true
69 ),
70 strings.icontains(., ...email.email)
71 )
72 )
73 )
74 )
75 )
76 // or there is a QR code
77 or (
78 any(filter(file.explode(.), .depth == 1),
79 .scan.qr.url.domain.valid
80 and any(recipients.to,
81 // QR code contains the email
82 (
83 strings.icontains(..scan.qr.url.url, .email.email)
84 // QR code contains the base64 endcoded email
85 or any(beta.scan_base64(..scan.qr.url.url,
86 format="url",
87 ignore_padding=true
88 ),
89 strings.icontains(., ..email.email)
90 )
91 )
92 )
93 )
94 )
95 )
96 )
97attack_types:
98 - "Credential Phishing"
99tactics_and_techniques:
100 - "PDF"
101 - "QR code"
102 - "Encryption"
103 - "Social engineering"
104detection_methods:
105 - "File analysis"
106 - "QR code analysis"
107 - "URL analysis"
108id: "0399d08f-57c6-58cb-87dc-8e58ccd0bc1b"