Attachment: PDF with W-9 form indicators

calendar Jun 26, 2026  ยท
Share on: linkedin copy

Detects inbound messages containing PDF attachments that match structural or signature patterns consistent with specific W-9 tax lure activity sets.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with W-9 form indicators"
 2description: "Detects inbound messages containing PDF attachments that match structural or signature patterns consistent with specific W-9 tax lure activity sets."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches,
10                  .name in ("w9_c001_signatures", "w9_c001_structure")
11              )
12          )
13  )  
14attack_types:
15  - "BEC/Fraud"
16tactics_and_techniques:
17  - "PDF"
18  - "Social engineering"
19  - "Impersonation: Brand"
20detection_methods:
21  - "YARA"
22  - "File analysis"
23  - "Content analysis"
24id: "1ff3445d-539e-57f9-b578-447f34933129"
to-top