Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)"
 2description: |
 3    Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any([body.plain.raw, body.html.inner_text], 
 9    any(ml.nlu_classifier(.).entities,
10      .name == "request"
11    )
12  )
13  and any(attachments, .file_extension == "pdf"
14    and any(file.explode(.),
15      any(.scan.pdf.urls,
16        regex.contains(.url, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)') and .domain.root_domain not in $tranco_1m
17      )
18    )
19  )
20  // unsolicited
21  and (
22    (
23      sender.email.domain.root_domain in $free_email_providers
24      and sender.email.email not in $recipient_emails
25    )
26    or (
27      sender.email.domain.root_domain not in $free_email_providers
28      and sender.email.domain.domain not in $recipient_domains
29    )
30  )  
31
32tags:
33  - "Suspicious attachment"
34  - "Ave Maria" 

Related rules

to-top