Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with recipient email in link"
2description: "Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // one or more PDF documents
8 and length(filter(attachments, .file_type == "pdf")) >= 1
9 and length(attachments) <= 4
10 // a single recipient (this is in the link so there can be only one)
11 and length(recipients.to) == 1
12 and all(recipients.to, .email.domain.valid)
13 and any(filter(attachments, .file_type == "pdf"),
14 (
15 // the urls in the PDF
16 any(filter(file.explode(.), .depth == 0),
17 // remove links we are not interested in
18 any(filter(.scan.pdf.urls,
19 // remove mailto: links
20 not strings.istarts_with(.url, 'mailto:')
21 and not strings.istarts_with(.url, 'email:')
22 // remove links found in exiftool output
23 and not (
24 ..scan.exiftool.producer is not null
25 and strings.icontains(..scan.exiftool.producer,
26 .domain.domain
27 )
28 )
29
30 // remove links found in exiftool output
31 and not (
32 ..scan.exiftool.creator is not null
33 and strings.icontains(..scan.exiftool.creator,
34 .domain.domain
35 )
36 )
37 // legitimate domains that exhibits this behavior
38 and .domain.root_domain not in (
39 "univarsolutions.com",
40 "westpac.com.au",
41 "safeshiphub.com",
42 "sharepoint.com"
43 )
44 ),
45 // it contains the email address of the recipient
46 any(recipients.to,
47 .email.domain.valid
48 and (
49 strings.icontains(..url, .email.email)
50 // or the base64 encoded email
51 or any(beta.scan_base64(..url,
52 format="url",
53 ignore_padding=true
54 ),
55 strings.icontains(., ..email.email)
56 )
57 )
58 )
59 )
60 )
61 // or there is a QR code
62 or (
63 //
64 // This rule makes use of a beta feature and is subject to change without notice
65 // using the beta feature in custom rules is not suggested until it has been formally released
66 //
67 any(beta.scan_qr(.).items,
68 .url.domain.valid
69 and any(recipients.to,
70 // QR code contains the email
71 (
72 strings.icontains(..url.url, .email.email)
73 // QR code contains the base64 endcoded email
74 or any(strings.scan_base64(..url.url,
75 format="url",
76 ignore_padding=true
77 ),
78 strings.icontains(., ..email.email)
79 )
80 )
81 )
82 )
83 )
84 )
85 )
86tags:
87 - "Attack surface reduction"
88attack_types:
89 - "Credential Phishing"
90tactics_and_techniques:
91 - "PDF"
92 - "QR code"
93 - "Encryption"
94 - "Social engineering"
95detection_methods:
96 - "File analysis"
97 - "QR code analysis"
98 - "URL analysis"
99id: "0399d08f-57c6-58cb-87dc-8e58ccd0bc1b"