Attachment: PDF with eCheckRun lures

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects PDF attachments matching yara rules looking for attachments containing artifacts from related to fake financial/invoice themes, including eCheckRun lures. These are commonly used to trick users into believe they have received legitmate electronic payment messages.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with eCheckRun lures"
 2description: "Detects PDF attachments matching yara rules looking for attachments containing artifacts from related to fake financial/invoice themes, including eCheckRun lures. These are commonly used to trick users into believe they have received legitmate electronic payment messages."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches, .name in ("pdf_eCheckLure_format", ))
10          )
11  )  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "PDF"
16detection_methods:
17  - "File analysis"
18  - "YARA"
19id: "577991e1-b7c4-5f35-a2ca-239424062e7d"
to-top