Attachment: Encrypted PDF With Credential Harvesting Indicators

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects encrypted PDF attachments containing patterns and indicators commonly associated with credential harvesting operations, identified through YARA signature analysis.

Sublime rule (View on GitHub)

 1name: "Attachment: Encrypted PDF With Credential Harvesting Indicators"
 2description: "Detects encrypted PDF attachments containing patterns and indicators commonly associated with credential harvesting operations, identified through YARA signature analysis."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches, .name in ("pdf_encrypted_cred_phish_001"))
10          )
11  )  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Encryption"
16  - "Evasion"
17  - "PDF"
18detection_methods:
19  - "File analysis"
20  - "YARA"
21id: "2122a286-4b6c-5f40-a2cd-2ed02c68baca"
to-top