Attachment: PDF file with recipient domain and ATT eCheckRun pattern

calendar Jun 16, 2026  ยท
Share on: linkedin copy

Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF file with recipient domain and ATT eCheckRun pattern"
 2description: "Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          strings.icontains(.file_name, recipients.to[0].email.domain.sld)
 9          and strings.starts_with(.file_name, "ATT")
10          and strings.icontains(.file_name, "eCheckRun")
11  )  
12
13attack_types:
14  - "BEC/Fraud"
15tactics_and_techniques:
16  - "PDF"
17  - "Social engineering"
18detection_methods:
19  - "File analysis"
20  - "Content analysis"
21id: "bae6e288-85c0-59b8-9fc7-ce9001dad3d2"
to-top