Attachment: Suspicious employee policy update document lure

calendar Sep 2, 2025  ·
Share on: linkedin copy

Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.

Sublime rule (View on GitHub)

 1name: "Attachment: Suspicious employee policy update document lure"
 2description: "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology.  This pattern has been observed used to delivery credential phishing via QR codes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // the subject contains pay related items
 9    (
10      strings.icontains(subject.subject, 'salary')
11      or regex.icontains(subject.subject, '\bpay(?:out|roll|\b)')
12      or strings.icontains(subject.subject, 'remuneration')
13      or strings.icontains(subject.subject, 'bonus')
14      or strings.icontains(subject.subject, 'incentive')
15      or strings.icontains(subject.subject, 'merit')
16      or strings.icontains(subject.subject, 'handbook')
17      or strings.icontains(subject.subject, 'benefits')
18    )
19    and (
20      strings.icontains(subject.subject, 'review')
21      or strings.icontains(subject.subject, 'breakdown')
22      or strings.icontains(subject.subject, 'Access Your')
23      or strings.icontains(subject.subject, 'evaluation')
24      or regex.icontains(subject.subject, 'eval\b')
25      or strings.icontains(subject.subject, 'assessment')
26      or strings.icontains(subject.subject, 'appraisal')
27      or strings.icontains(subject.subject, 'feedback')
28      or strings.icontains(subject.subject, 'performance')
29      or strings.icontains(subject.subject, 'adjustment')
30      or strings.icontains(subject.subject, 'qualification')
31      or strings.icontains(subject.subject, 'increase')
32      or strings.icontains(subject.subject, 'raise')
33      or strings.icontains(subject.subject, 'change')
34      or strings.icontains(subject.subject, 'modification')
35      or strings.icontains(subject.subject, 'distribution')
36      or strings.icontains(subject.subject, 'details')
37      or regex.icontains(subject.subject, 'revis(?:ed|ion)')
38      or regex.icontains(subject.subject, 'amend(?:ed|ment)')
39      or regex.icontains(subject.subject, 'update(?:d| to)')
40      or strings.icontains(subject.subject, 'plan')
41    )
42  )
43  and 0 < length(attachments) <= 3
44  and any(attachments,
45          .file_extension in ("doc", "docx", "docm", "pdf")
46          and (
47            strings.icontains(.file_name, 'salary')
48            or strings.icontains(.file_name, 'compensation')
49            or regex.icontains(.file_name, '\bpay(?:roll|\b)')
50            or strings.icontains(.file_name, 'bonus')
51            or strings.icontains(.file_name, 'incentive')
52            or strings.icontains(.file_name, 'merit')
53            or strings.icontains(.file_name, 'handbook')
54            or strings.icontains(.file_name, 'benefits')
55          )
56          and (
57            strings.icontains(.file_name, 'review')
58            or strings.icontains(.file_name, 'evaluation')
59            or regex.icontains(.file_name, 'eval\b')
60            or strings.icontains(.file_name, 'assessment')
61            or strings.icontains(.file_name, 'appraisal')
62            or strings.icontains(.file_name, 'feedback')
63            or strings.icontains(.file_name, 'performance')
64            or strings.icontains(.file_name, 'adjustment')
65            or strings.icontains(.file_name, 'increase')
66            or strings.icontains(.file_name, 'raise')
67            or strings.icontains(.file_name, 'change')
68            or strings.icontains(.file_name, 'modification')
69            or strings.icontains(.file_name, 'distribution')
70            or strings.icontains(.file_name, 'statement')
71            or regex.icontains(.file_name, 'revis(?:ed|ion)')
72            or regex.icontains(.file_name, 'amend(?:ed|ment)')
73            or regex.icontains(.file_name, 'adjust(?:ed|ment)')
74            or regex.icontains(.file_name, 'update(?:d| to)')
75            or regex.icontains(.file_name, '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}')
76            or (
77              // file name contains recipient's email
78              any(recipients.to,
79                  strings.icontains(..file_name, .email.email)
80                  and .email.domain.valid
81              )
82            )
83          )
84  )
85  and not (
86    sender.email.domain.root_domain in $high_trust_sender_root_domains
87    and coalesce(headers.auth_summary.dmarc.pass, false)
88  )  
89attack_types:
90  - "Credential Phishing"
91tactics_and_techniques:
92  - "PDF"
93  - "Social engineering"
94  - "Evasion"
95detection_methods:
96  - "Content analysis"
97  - "File analysis"
98  - "Sender analysis"
99id: "a8bf1fd1-d9fa-572d-8957-51d6025a5248"
to-top