Attachment: PDF Attachment with links to workers.dev

calendar Jun 4, 2026  ·
Share on: linkedin copy

Detects inbound messages containing PDF attachments with fewer than 5 pages that, when analyzed, contain URLs pointing to workers.dev subdomains. This pattern indicates potential abuse of Cloudflare Workers infrastructure to host malicious content delivered via PDF documents.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF Attachment with links to workers.dev"
 2description: "Detects inbound messages containing PDF attachments with fewer than 5 pages that, when analyzed, contain URLs pointing to workers.dev subdomains. This pattern indicates potential abuse of Cloudflare Workers infrastructure to host malicious content delivered via PDF documents."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          beta.parse_exif(.).page_count <= 2
 9          and any(file.explode(.),
10                  any(.scan.url.urls, .domain.root_domain == "workers.dev")
11          )
12  )  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "PDF"
17  - "Free subdomain host"
18  - "Evasion"
19detection_methods:
20  - "File analysis"
21  - "Exif analysis"
22  - "URL analysis"
23id: "e8be2515-8b3d-5222-80da-6ecfad58341a"
to-top