Attachment: PDF with suspicious HeadlessChrome metadata

calendar Apr 30, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with suspicious HeadlessChrome metadata"
 2description: "Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_extension == "pdf"),
 8          strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
 9          and beta.parse_exif(.).page_count == 1
10          and (
11            // MD5 filename, 32 hex chars and .html
12            (
13              regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
14              or 
15              // about:blank and Windows HeadlessChrome
16              (
17                beta.parse_exif(.).title == "about:blank"
18                and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
19                and strings.icontains(beta.parse_exif(.).creator, "Windows")
20              )
21              // cred theft intents on the message and Windows Headless Chrome
22              or (
23                any(ml.nlu_classifier(body.current_thread.text).intents,
24                    .name == "cred_theft" and .confidence != "low"
25                )
26                and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
27                and strings.icontains(beta.parse_exif(.).creator, "Windows")
28              )
29            )
30            and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
31          )
32  )
33  and not (
34    sender.email.domain.root_domain in (
35      "guardtek.net",
36      "gominis.com",
37      "aglgroup.com",
38      "truckerzoom.com"
39    )
40    and coalesce(headers.auth_summary.dmarc.pass, false)
41  )  
42
43tags:
44- "Attack surface reduction"
45attack_types:
46  - "Credential Phishing"
47  - "Malware/Ransomware"
48tactics_and_techniques:
49  - "Evasion"
50  - "PDF"
51detection_methods:
52  - "File analysis"
53  - "Exif analysis"
54id: "eda99b1d-5639-57a0-860e-2d55b7f3b84f"

Related rules

to-top