Attachment: Self-sender PDF with minimal content and view prompt

calendar Feb 12, 2026  ·
Share on: linkedin copy

Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment.

Sublime rule (View on GitHub)

 1name: "Attachment: Self-sender PDF with minimal content and view prompt"
 2description: "Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // self sender
 8  and length(recipients.to) == 1
 9  and (
10    sender.email.email == recipients.to[0].email.email
11    or recipients.to[0].email.domain.valid == false
12  )
13  and strings.starts_with(body.current_thread.text, 'Please see attached')
14  and any(filter(attachments, .file_type == 'pdf'),
15          any(file.explode(.),
16              .scan.strings.strings[0] == 'VIEW PDF'
17              and length(.scan.strings.strings) == 1
18          )
19  )  
20attack_types:
21  - "Credential Phishing"
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "PDF"
25  - "Social engineering"
26  - "Evasion"
27detection_methods:
28  - "Content analysis"
29  - "File analysis"
30  - "Sender analysis"
31id: "07670a8c-4e64-5807-8c9e-97171c076884"
to-top