Attachment: PDF with self-service platform links with self sender or blank recipients

calendar Jun 10, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with self-service platform links with self sender or blank recipients"
 2description: "Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sum([length(recipients.to), length(recipients.cc)]) == 1
 8  and (
 9    sender.email.email == recipients.to[0].email.email
10    or recipients.to[0].email.domain.valid == false
11  )
12  and length(attachments) == 1
13  and beta.parse_exif(attachments[0]).page_count == 1
14  and any(filter(attachments, .file_type == "pdf"),
15          any(filter(file.explode(.), .depth == 0),
16              1 <= length(filter(.scan.url.urls,
17                                 // remove mailto: links
18                                 not strings.istarts_with(.url, 'mailto:')
19                                 and not strings.istarts_with(.url, 'email:')
20                                 // remove links found in exiftool output producer/creator
21                                 and not any([
22                                               ..scan.exiftool.producer,
23                                               ..scan.exiftool.creator
24                                             ],
25                                             . is not null
26                                             and strings.icontains(.,
27                                                                   ..domain.domain
28                                             )
29                                 )
30                                 and not .domain.root_domain in ('pdf-tools.com')
31                                 and not .url in (
32                                   'https://gamma.app/?utm_source=made-with-gamma'
33                                 )
34                          )
35              ) <= 3
36              and all(.scan.url.urls,
37                      .domain.root_domain in $self_service_creation_platform_domains
38                      or .domain.domain in $self_service_creation_platform_domains
39              )
40          )
41  )  
42tags:
43  - "Attack surface reduction"
44attack_types:
45  - "BEC/Fraud"
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "PDF"
49  - "Evasion"
50  - "Free file host"
51detection_methods:
52  - "File analysis"
53  - "Exif analysis"
54  - "URL analysis"
55  - "Sender analysis"
56id: "9b97f4cf-ab96-5f92-a1ca-90967b94bcb1"

Related rules

to-top