Attachment: PDF with blurry lure image

calendar Jun 5, 2026  ยท
Share on: linkedin copy

Detects PDF attachments containing a blurry image used in credential phishing lures.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with blurry lure image"
 2description: "Detects PDF attachments containing a blurry image used in credential phishing lures."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches, .name in ("pdf_lure_image_blurry", ))
10          )
11  )  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "PDF"
16detection_methods:
17  - "File analysis"
18  - "YARA"
19id: "5539a3fd-5821-5fd9-9119-7dd9e42cd739"
to-top