Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with recipient email in link"
2description: "Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // one or more PDF documents
8 and length(filter(attachments, .file_type == "pdf")) >= 1
9 and length(attachments) <= 4
10 // a single recipient (this is in the link so there can be only one)
11 and length(recipients.to) == 1
12 and all(recipients.to, .email.domain.valid)
13 and any(filter(attachments,
14 .file_type == "pdf"
15 and (
16 // contains the SLD or local part of recipient
17 all(recipients.to,
18 strings.icontains(..file_name, .email.domain.sld)
19 or strings.icontains(..file_name, .email.local_part)
20 )
21 // contains financial refernces
22 or any(ml.nlu_classifier(.file_name).entities,
23 .name == "financial"
24 and strings.contains(..file_name, .text)
25 )
26 )
27 ),
28 (
29 // the urls in the PDF
30 any(filter(file.explode(.), .depth == 0),
31 // remove links we are not interested in
32 any(filter(.scan.pdf.urls,
33 // remove mailto: links
34 not strings.istarts_with(.url, 'mailto:')
35 and not strings.istarts_with(.url, 'email:')
36 // remove links found in exiftool output
37 and not (
38 ..scan.exiftool.producer is not null
39 and strings.icontains(..scan.exiftool.producer,
40 .domain.domain
41 )
42 )
43
44 // remove links found in exiftool output
45 and not (
46 ..scan.exiftool.creator is not null
47 and strings.icontains(..scan.exiftool.creator,
48 .domain.domain
49 )
50 )
51 // legitimate domains that exhibits this behavior
52 and .domain.root_domain not in (
53 "univarsolutions.com",
54 "westpac.com.au",
55 "safeshiphub.com",
56 "sharepoint.com"
57 )
58 ),
59 // it contains the email address of the recipient
60 any(recipients.to,
61 .email.domain.valid
62 and (
63 strings.icontains(..url, .email.email)
64 // or the base64 encoded email
65 or any(beta.scan_base64(..url,
66 format="url",
67 ignore_padding=true
68 ),
69 strings.icontains(., ..email.email)
70 )
71 )
72 )
73 )
74 )
75 // or there is a QR code
76 or (
77 any(filter(file.explode(.), .depth == 1),
78 .scan.qr.url.domain.valid
79 and any(recipients.to,
80 // QR code contains the email
81 (
82 strings.icontains(..scan.qr.url.url, .email.email)
83 // QR code contains the base64 endcoded email
84 or any(beta.scan_base64(..scan.qr.url.url,
85 format="url",
86 ignore_padding=true
87 ),
88 strings.icontains(., ..email.email)
89 )
90 )
91 )
92 )
93 )
94 )
95 )
96attack_types:
97 - "Credential Phishing"
98tactics_and_techniques:
99 - "PDF"
100 - "QR code"
101 - "Encryption"
102 - "Social engineering"
103detection_methods:
104 - "File analysis"
105 - "QR code analysis"
106 - "URL analysis"
107id: "0399d08f-57c6-58cb-87dc-8e58ccd0bc1b"