Attachment: PDF with recipient email in link

Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with recipient email in link"
 2description: "Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // a single recipient (this is in the link so there can be only one)
 8  and length(recipients.to) == 1
 9  and all(recipients.to, .email.domain.valid)
10  // a single PDF attachment
11  and length(filter(attachments, .file_type == "pdf")) == 1
12  // in the PDF attachment
13  and any(attachments,
14          .file_type == "pdf"
15          and all(recipients.to,
16                  strings.icontains(..file_name, .email.domain.sld)
17                  // now file.explode the attachment and look for the eamil address in links
18                  and any(file.explode(..),
19                          // there is only a single link
20                          length(
21                                 filter(.scan.url.urls,
22                                        not strings.icontains(.url, 'mailto')
23                                        and not strings.istarts_with(.url, 'email:')
24                                 )
25                          ) == 1
26                          // that link contains the email address
27                          and (
28                            any(
29                                // filter out mailto links
30                                filter(.scan.url.urls,
31                                       not strings.icontains(.url, 'mailto')
32                                       and not strings.istarts_with(.url, 'email:')
33                                ),
34                                // in the URL
35                                strings.icontains(.url, ...email.email)
36                                or any(beta.scan_base64(.url,
37                                                        format="url",
38                                                        ignore_padding=true
39                                       ),
40                                       strings.icontains(., ..url)
41                                )
42                            )
43                            // or in a QR code
44                            or strings.icontains(.scan.qr.url.url, ..email.email)
45                            or any(beta.scan_base64(.scan.qr.url.url,
46                                                    format="url",
47                                                    ignore_padding=true
48                                   ),
49                                   strings.icontains(., ...email.email)
50                            )
51                          )
52                  )
53          )
54  )  
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "PDF"
59  - "QR code"
60  - "Encryption"
61  - "Social engineering"
62detection_methods:
63  - "File analysis"
64  - "QR code analysis"
65  - "URL analysis"
66id: "0399d08f-57c6-58cb-87dc-8e58ccd0bc1b"
to-top