Attachment: PDF With SAI Global ISO9001 Logo

calendar Apr 15, 2026  ยท
Share on: linkedin copy

Detects PDF attachments containing embedded SAI Global ISO9001 logos, which may indicate brand impersonation or fraudulent certification claims.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF With SAI Global ISO9001 Logo"
 2description: "Detects PDF attachments containing embedded SAI Global ISO9001 logos, which may indicate brand impersonation or fraudulent certification claims."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches,
10                  // yara rule matches on an embedded SAI Global logo that allows for resized versions of the image
11                  .name == "SAI_Global_ISO9001_Logo_PDF_Fuzzy"
12              )
13          )
14  )  
15
16attack_types:
17  - "Credential Phishing"
18tactics_and_techniques:
19  - "Impersonation: Brand"
20  - "PDF"
21detection_methods:
22  - "File analysis"
23  - "YARA"
24id: "3e3e1af4-48ee-5ddf-8051-a1c68c4451ef"
to-top